Dashlane explains how attackers downloaded encrypted password vaults from fewer than 20 accounts
6 min. read 
Published on
Dashlane has completed its investigation into a brute-force attack that let an external threat actor register unauthorized devices on a small number of user accounts and download encrypted password vault copies.
The incident affected fewer than 20 personal plan users, according to Dashlane’s security advisory. Dashlane says it directly notified each affected user and found no evidence that its internal systems were compromised.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The company said the attack began on May 31, 2026, and targeted the device registration flow. This is the process used when a customer adds a new phone, computer, or other device to an existing Dashlane account.
How the attackers got encrypted vault copies
Dashlane says the attacker targeted API endpoints used for device registration. The attacker sent a high volume of automated requests in an attempt to guess 6-digit verification codes.
When a user adds a device, Dashlane verifies the account holder by sending a one-time 6-digit token to the registered email address, or by validating a 6-digit code from an authenticator app for users who enabled 2FA.
Once the correct code is entered, Dashlane registers the new device and downloads an encrypted copy of the user’s vault to that device. In fewer than 20 cases, the attacker generated valid codes before the attack was fully mitigated.
| Incident detail | What Dashlane reported |
|---|---|
| Attack start | May 31, 2026 |
| Attack target | Device registration API endpoints |
| Method | Automated brute-force attempts against 6-digit verification codes |
| Affected users | Fewer than 20 personal plan customers had encrypted vaults downloaded |
| Internal systems | Dashlane says it found no evidence of compromise |
Dashlane says the vaults remain encrypted
The downloaded vault copies were not plaintext password lists. Dashlane says vault data cannot be accessed without the user’s Master Password, which the company does not store on its servers.
Dashlane’s security documentation says its service uses a zero-knowledge model, meaning stored vault data remains encrypted and cannot be read by Dashlane.
The company says its vault encryption uses Argon2, AES-256-CBC, and HMAC-SHA256. That design makes offline guessing much harder, especially when the user has a long, unique Master Password.
Why the Master Password still matters
The incident shows why the Master Password remains the most important line of defense for password manager users. If attackers obtain only an encrypted vault, they still need to crack the Master Password before they can view its contents.
In its Security Principles and Architecture document, Dashlane says each vault would require an independent brute-force attack protected by Argon2 key stretching and per-user salts.
That does not mean every user can ignore the issue. A weak, reused, or easily guessed Master Password can reduce the protection offered by encryption. A strong Master Password gives attackers a much harder offline target.
Dashlane’s automatic protections locked targeted accounts
Dashlane said its automated security controls triggered account lockouts because of the high volume of attempts. Many users saw temporary suspensions or authentication problems during the response.
The company later restored access to suspended accounts. It also blocked malicious traffic and deployed additional protections to detect and filter similar activity.
The Hacker News reported that the attackers succeeded only in a small number of cases before Dashlane contained the campaign. The report also noted that affected users were contacted directly.
What Dashlane changed after the attack
Dashlane said it added extra protections at the network level and inside the product. It also started adding more verification layers to the new-device registration process.
Those changes matter because the attack did not focus on breaking encryption. It focused on the authentication perimeter around device approval.
In practice, that means attackers tried to get a device trusted first, then relied on normal product behavior to receive an encrypted vault copy. This is different from stealing plaintext passwords or compromising Dashlane’s backend systems.
- Dashlane blocked malicious traffic linked to the attack.
- Suspended and blocked accounts were reactivated.
- Additional detection and filtering protections were added.
- The device registration flow is receiving extra verification layers.
- Affected users were notified directly.
What users should check now
Dashlane says users who did not receive a specific vault-risk message were not impacted by the vault download portion of the incident. Still, all users can take a few practical steps to reduce account risk.
Users should review trusted devices, remove anything they do not recognize, and enable 2FA if it is not already active. They should also make sure their Master Password is long, unique, and difficult to guess.
The Dashlane advisory says users do not need to change vault credentials unless they were among the few contacted customers or suspect phishing or Master Password exposure.
| Action | Why it helps |
|---|---|
| Review registered devices | Helps identify any device you did not authorize. |
| Enable 2FA | Adds a second verification layer for account access. |
| Use a strong Master Password | Makes offline vault cracking much harder. |
| Watch for phishing emails | Prevents attackers from capturing login or verification data. |
| Keep devices clean | Reduces the risk of malware capturing decrypted vault data locally. |
The incident highlights a broader password manager risk
Password managers protect sensitive data with encryption, but attackers may target surrounding account workflows. Device approval, account recovery, email access, session tokens, and phishing can all become attack paths.
Dashlane says only the user can decrypt vault data because the Master Password is not known by the company. That design reduces the impact of encrypted vault theft, but it does not remove the need for strong authentication controls.
Dashlane’s architecture document also says vault encryption and server authentication are separated, with no centralized secret that can unlock multiple user vaults at once.
What this means for password manager users
The attack does not mean password managers are unsafe. It shows that password managers remain valuable targets, and attackers will look for weak points around authentication and device trust.
For most users, the main lesson is direct. A password manager still needs strong 2FA, a strong Master Password, trusted devices, and careful handling of account emails.
The Hacker News report also noted that users should review registered devices and remove anything unfamiliar. That advice applies broadly to any password manager account, not only Dashlane.
Dashlane says its investigation is complete and found no additional customer impact. The company’s response now turns the focus to harder device-registration checks and stronger defenses against automated token guessing.
FAQ
Dashlane says an external threat actor brute-forced device-registration verification codes and downloaded encrypted vault copies for fewer than 20 personal plan users.
No. Dashlane says the downloaded vault copies were encrypted and require the user’s Master Password to decrypt.
Dashlane says it found no evidence that its internal systems were impacted by the incident.
Dashlane says most users do not need to change vault credentials. Users should change their Master Password if it is weak, reused, or suspected of being phished.
Users should review registered devices, remove unfamiliar devices, enable 2FA, use a strong Master Password, and watch for phishing emails.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages