Hackers forcefully bypassed Dashlane's two-factor authentication and accessed encrypted vaults.

      TL;DR: Attackers brute-forced Dashlane's two-factor authentication (2FA) system to register new devices on fewer than 20 accounts, resulting in the download of their encrypted password vaults. These vaults remain secure with master passwords that Dashlane does not store, yet users with weak passwords face an offline cracking threat.

      Dashlane announced on Sunday that an external attacker performed a brute-force attack on its 2FA system, successfully bypassing 2FA protections on fewer than 20 personal plan user accounts and obtaining copies of their encrypted password vaults. The attack, which started on May 31, caused automatic account lockouts for a larger set of targeted users as Dashlane's security systems detected a high volume of authentication attempts.

      The approach was simple: attackers utilized automated software to quickly submit all possible numeric combinations for time-based 2FA codes, trying to guess the correct sequence before each code expired. When they succeeded, they were able to register a new device on the compromised account, granting them the access necessary to download the user's encrypted vault from Dashlane's servers.

      What was taken and its significance

      The encrypted vaults consist of the user's stored passwords, secure notes, and other credentials, but they are protected with the user's master password, which Dashlane asserts is never transmitted to its servers in plaintext. This zero-knowledge architecture ensures that, even if an attacker obtains a vault, they cannot access its contents without the master password. Dashlane claims that its vault encryption "ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over time."

      This assurance only applies if the affected users selected strong, unique master passwords. If any of the fewer than 20 users whose vaults were accessed employed weak or reused master passwords, those vaults could potentially be cracked offline using dictionary attacks or brute-force techniques. Credential stuffing attacks, which leverage passwords exposed in previous breaches, are particularly effective against users who reuse passwords across different services.

      The 2FA vulnerability

      The attack took advantage of a basic limitation of time-based one-time password (TOTP) 2FA codes: typically just six digits long, there are only one million possible combinations within each 30-second timeframe. Automated systems can submit thousands of attempts each second, and if rate limiting is not sufficiently stringent, the odds of guessing a valid code within its active period become significant after numerous attempts.

      Dashlane's security measures detected the intrusion and locked the affected accounts, preventing broader breaches but leading to disruptions for legitimate users who found themselves locked out. The balance between security measures and user experience is an ongoing challenge for authentication systems: stringent lockouts prevent attackers but also cause denial-of-service situations for genuine users.

      Dashlane stated that its investigation revealed no evidence of compromise within its own systems. The attack targeted user accounts externally rather than exploiting a flaw in Dashlane's infrastructure.

      The LastPass parallel

      This incident will likely be compared to the 2022 LastPass breach, where attackers stole encrypted password vaults from millions of users. In that situation, researchers later confirmed that some vaults with weak master passwords were cracked, resulting in cryptocurrency thefts and other harms. Law enforcement is increasingly targeting cybercriminal operations, but offline vault cracking occurs outside the reach of server-side safeguards.

      The scale differs, with fewer than 20 vaults impacted as opposed to millions, but the principle remains the same: an encrypted vault's security is contingent on the strength of the master password protecting it. Dashlane advises affected users to review their registered devices, remove any unrecognized devices, enable 2FA if it is not already active, and most importantly, to use a long and complex master password that is hard to guess.

      The disclosure follows responsible security communication protocols, with Dashlane promptly publishing its advisory and providing clear remediation steps. However, this incident raises a broader question for the password manager industry: if 2FA can be brute-forced to register new devices, what additional layers of authentication are needed to protect such a critical consumer security product?