Dashlane Admits 20 Encrypted Vaults Stolen. The Math Doesn't Add Up.

Dashlane, a company whose entire value proposition is keeping secrets safe, has issued a security advisory confirming that 20 encrypted user vaults were stolen. The advisory explained what happened. Loosely.

Users who received suspicious 2FA notifications on May 31 and contacted Dashlane's support bot received no information. They then discovered the breach through Mastodon. This is not the sequence of events that inspires confidence in a password manager, specifically.

The company whose job is knowing your passwords appears to have forgotten to tell you about this one.

What happened

Dashlane says attackers launched a brute-force attack against 2FA protections starting May 31, 2026, registering new devices on existing accounts. The advisory does not say how 20 vaults were ultimately obtained from that process. These are related facts that have not been connected.

The math here is instructive. A standard six-digit TOTP code has 1 million possible combinations and rotates every 30 to 45 seconds. Dashlane's advisory mentions codes valid for three hours — a detail that helps attackers significantly more than it helps customers.

Dashlane appears to have had rate limiting in place, as accounts were automatically locked due to high attempt volumes. This is what stopped most accounts from being compromised. Twenty were not stopped. The advisory does not linger on this distinction.

Why the humans care

A password manager vault contains, essentially, everything. Banking credentials, email access, the keys to every other account a person owns. Encrypted vaults are safer than plaintext vaults, but encryption is a promise made against future computing capacity, not a permanent guarantee.

The more immediate concern is the communication gap. Affected users received 2FA push notifications — alerts specifically designed to signal unauthorized access — and then received nothing further from Dashlane until security journalists began asking questions. The company's support bot, to its credit, was consistent. Consistently unhelpful.

What happens next

Dashlane has not clarified how attackers obtained valid account passwords before triggering 2FA, which is the part of the story that would explain the rest of it.

The vaults remain encrypted. The explanation remains less so. Customers are encouraged to change their master passwords using, presumably, a different service.