Hackers used brute force to compromise Dashlane's two-factor authentication and downloaded encrypted vaults.

      TL;DRAttackers successfully executed a brute-force attack on Dashlane’s two-factor authentication (2FA) system, enabling them to register new devices on fewer than 20 accounts and download their encrypted password vaults. While the vaults remain encrypted with master passwords that Dashlane does not store, users with weak passwords may be at risk of offline cracking.

      On Sunday, Dashlane announced that an external attacker carried out a brute-force assault on its 2FA system, managing to bypass protections for under 20 personal accounts and download encrypted password vault copies. This attack began on May 31 and prompted automatic lockouts for a broader range of targeted users as Dashlane’s security measures identified a high rate of authentication attempts.

      The attackers employed a simple tactic, utilizing automated tools to quickly input every possible numeric combination for time-sensitive 2FA codes, thereby attempting to guess the correct sequence before the codes expired. When successful, they were able to add a new device to the compromised account, granting them access to download the user's encrypted vault from Dashlane's servers.

      The implications of this breach

      The encrypted vaults store users' passwords, secure notes, and other credentials but are protected by the master password, which Dashlane claims is never transmitted to its servers in plain text. This zero-knowledge structure means that despite possessing a copy of the vault, an attacker cannot access its contents without the master password. Dashlane asserts that its encryption measures make unauthorized access to vaults statistically improbable, even over extended periods.

      This assurance applies only if the impacted users selected robust, unique master passwords. If any of the fewer than 20 users whose vaults were compromised utilized weak or reused master passwords, those vaults could potentially be cracked offline through dictionary attacks or brute-force techniques. Credential stuffing attacks—where previously exposed passwords from other breaches are exploited—are particularly effective against users who use the same credentials across multiple services.

      The flaw in 2FA

      The attack took advantage of an inherent limitation in time-based one-time password (TOTP) 2FA codes, which are generally six digits long, yielding only a million combinations every 30 seconds. Automated systems can make thousands of attempts per second, and if rate limiting is not stringent enough, the likelihood of guessing a valid code within its validity period becomes significant after many attempts.

      Dashlane's security measures detected the attack and locked the impacted accounts, preventing further compromise but also causing legitimate users to be locked out. This challenge of balancing security lockouts with user experience is a common dilemma for authentication systems: strict lockouts can thwart attackers but also inadvertently lead to denial-of-service situations for genuine users.

      Dashlane has reported no evidence that its systems were breached; the attack was aimed at user accounts from the outside rather than taking advantage of a flaw in Dashlane's infrastructure.

      The LastPass connection

      This incident is likely to evoke comparisons to the 2022 LastPass breach, during which attackers accessed encrypted password vaults of millions of users. Subsequent investigations confirmed that some vaults with weak master passwords were successfully cracked, resulting in thefts of cryptocurrency and other real-world damages. Law enforcement continues to focus on cybercriminal operations, but offline vault cracking occurs outside the purview of any server-side protections.

      While the scale differs—with fewer than 20 vaults compromised compared to millions in the LastPass case—the fundamental principle remains unchanged: an encrypted vault's security hinges on the strength of the master password safeguarding it. Dashlane advises affected users to check registered devices, eliminate any unfamiliar ones, enable 2FA if it isn’t already activated, and most importantly, to utilize a strong, unique master password that is lengthy and hard to guess.

      The disclosure aligns with responsible security practices, with Dashlane promptly publishing its advisory and outlining specific steps for remediation. However, this incident raises a broader concern for the password manager industry: if 2FA can be brute-forced to register new devices, what additional layers of authentication are necessary to protect this critical consumer security tool that most users rely on?