Dashlane Accounts Locked After Brute-Force Attack Targeted Device Registration
7 min. read 
Published on
Dashlane has confirmed that a brute-force attack targeting user accounts caused temporary account lockouts and, in fewer than 20 cases, allowed attackers to download encrypted vault copies. The company says there is no evidence that its internal systems were compromised.
The incident began on May 31, 2026, according to Dashlane’s security advisory. Dashlane said an external party targeted its device registration flow, which is used when a user adds a new phone, computer, or browser to an existing account.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attack caused automatic lockouts because Dashlane’s protections detected a high volume of failed attempts. Account access has since been restored, and Dashlane said its investigation is complete with no additional impact found.
What happened in the Dashlane brute-force attack
The attackers tried to brute-force short verification codes used during device registration. For accounts protected by 2FA, Dashlane asks for a 6-digit code from an authenticator app when the user logs in or adds a new device, as explained in Dashlane’s 2FA support documentation.
Dashlane said the attackers sent a large number of automated requests to device registration API endpoints. When those attempts triggered protection systems, targeted accounts were automatically suspended to stop further activity.
Independent coverage from Help Net Security noted that some users first reported account suspension emails and login problems before Dashlane published more details about the incident.
| Incident detail | Information |
|---|---|
| Start date | May 31, 2026 |
| Attack type | Brute-force attack against device registration codes |
| Main impact | Temporary account suspensions and device registration disruption |
| Vault exposure | Encrypted vault copies downloaded for fewer than 20 personal-plan users |
| Internal system compromise | No evidence found by Dashlane |
| Investigation status | Completed on June 4, 2026 |
Why attackers targeted device registration
Device registration is a valuable target because it lets a new device connect to an existing password manager account. If the attacker can pass the verification step, the service may register the device and download a copy of the encrypted vault to it.
The Hacker News reported that the attackers generated valid tokens for fewer than 20 personal-plan customers before the activity was fully mitigated. Those successful attempts allowed the attacker to register new devices and download encrypted vault copies.
This does not mean the attackers could immediately read stored passwords. A downloaded Dashlane vault remains encrypted, and the user’s Master Password is required to decrypt the vault contents.
- The attacker targeted the device registration flow.
- The attacker tried large numbers of 6-digit verification codes.
- Dashlane’s security systems locked targeted accounts automatically.
- Fewer than 20 personal-plan users had encrypted vault copies downloaded.
- Dashlane notified those users directly.
- Users who did not receive a vault-risk notification were not impacted in that way.
Encrypted vaults still need the Master Password
Dashlane says vault data cannot be accessed without the Master Password. Its zero-knowledge architecture separates vault encryption from server authentication, so Dashlane does not store users’ Master Passwords or derived encryption keys on its servers.
The company also says its vault encryption uses Argon2, AES-256-CBC, and HMAC-SHA256. That design makes offline guessing harder, especially when the Master Password is long, unique, and difficult to predict.
The risk becomes higher if a user has a weak Master Password, reused password, or one that may have been phished. Dashlane says users do not need to change their Master Password because of this incident unless they believe it may be weak or exposed.
Dashlane says its internal systems were not breached
Dashlane’s incident update says there is no evidence that its internal systems were impacted. The company described the event as an external brute-force attack against account flows, not a compromise of Dashlane’s backend infrastructure.
Help Net Security reported that Dashlane first moved through investigation and resolution updates while users discussed account suspension emails and login issues. The company later added more technical detail about the device registration flow and protections.
Dashlane said it blocked malicious traffic sources and added network-level and product-level controls to better detect and filter similar attacks. It also said additional verification layers are being added to the new device registration process.
| Question | Current answer |
|---|---|
| Were all Dashlane users affected? | No. Dashlane says only certain accounts were targeted. |
| Were vaults decrypted? | No public evidence shows vault contents were decrypted. |
| Were internal systems breached? | Dashlane says there is no evidence of internal system compromise. |
| Were affected users notified? | Dashlane says users with vault-risk impact were notified directly. |
| Is the incident still under investigation? | Dashlane says the investigation is complete as of June 4, 2026. |
What users should do now
Most Dashlane users do not need to rotate every password stored in their vault because of this incident. Dashlane says users whose encrypted vaults were impacted were notified directly, and users who did not receive a vault-risk message were not affected by that part of the incident.
Users should still review registered devices and remove anything they do not recognize. Dashlane also recommends enabling 2FA if it is not already active and using a strong Master Password.
Dashlane’s 2FA guidance explains that authenticator app codes expire quickly, usually every 30 seconds, so the phone and login device need accurate time settings. Users who see repeated 2FA errors should verify time sync and avoid approving any unexpected device registration attempts.
- Open Dashlane and review all registered devices.
- Remove any device that looks unfamiliar.
- Enable 2FA if it is not already turned on.
- Use a long and unique Master Password.
- Change the Master Password if it is weak, reused, or possibly phished.
- Watch for unexpected account emails or device registration prompts.
Why password manager attacks keep drawing attention
Password managers store high-value encrypted data, so attackers often target login, recovery, synchronization, and device registration flows. Even when vault contents remain encrypted, gaining a vault copy can create pressure on weak Master Passwords.
The Hacker News noted that fewer than 20 personal-plan users had encrypted vaults downloaded, while the broader event triggered lockouts for numerous targeted accounts. That split is important because most affected users experienced access disruption rather than vault-copy exposure.
Dashlane’s security model reduces the impact of server-side exposure by keeping vault decryption tied to secrets that the user controls. Still, users need strong Master Passwords because an encrypted vault can become a target for offline guessing if attackers obtain a copy.
What businesses should review
Business administrators should check whether any managed users reported account lockouts, unexpected device prompts, or 2FA problems around May 31 and June 1. They should also review device lists and security alerts in the admin console where available.
Organizations should remind employees that account suspension emails can be legitimate during security incidents, but they should still avoid clicking links from unexpected messages. Users should open Dashlane directly through the app or official website rather than through email links when verifying account activity.
Security teams should treat device registration as an identity control, not just a convenience feature. Any workflow that adds a new trusted device deserves rate limiting, anomaly detection, and strong step-up verification.
- Review account and device registration events for managed users.
- Ask users to report unexpected Dashlane lockout messages.
- Confirm 2FA coverage for employees who store sensitive credentials.
- Train users to avoid entering Master Passwords after suspicious messages.
- Use phishing-resistant authentication where available.
- Monitor for password manager account access from unusual devices or locations.
FAQ
Dashlane said an external party launched a brute-force attack against certain user accounts beginning on May 31, 2026. The attack targeted the device registration flow, which caused automated security systems to temporarily lock targeted accounts.
Dashlane said attackers downloaded encrypted vault copies for fewer than 20 personal-plan users. The company notified those users directly. The vault contents still require the user’s Master Password to decrypt.
Dashlane says there is no evidence that its internal systems were compromised. The incident involved an external brute-force attack against device registration endpoints, not a confirmed breach of Dashlane’s backend systems.
Dashlane says users do not need to change their Master Password because of this incident unless they believe it is weak, reused, or may have been phished. A long and unique Master Password remains the most important protection for encrypted vault data.
Users should review registered devices, remove anything unfamiliar, enable 2FA if they have not already done so, use a strong Master Password, and watch for unexpected device registration prompts or account emails.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages