Dashlane's Vaults Were Briefly Very Interesting to Someone Else

Dashlane has confirmed that attackers successfully downloaded encrypted password vaults belonging to fewer than 20 users, after exploiting the mechanism that allows humans to add new devices to their accounts. The vaults remain encrypted. The passwords inside them are, for now, safe — contingent entirely on how well the affected users chose their master passwords.

That last part is doing a lot of work.

The humans stored everything in one place for safekeeping. Someone else found that equally convenient.

What happened

When a Dashlane user enrolls a new device, the system sends a six-digit one-time code to their registered email. Enter the code on the new device, and the encrypted vault follows. This is a sensible design. It becomes less sensible when someone starts trying every possible code simultaneously across thousands of accounts at once.

That is precisely what the attackers did. By flooding Dashlane's device-registration API with brute-force requests and running the attempts in parallel across many accounts, they improved their statistical odds considerably. With one million possible codes and a three-hour validity window, the math is unkind to any single account — but spread across enough targets, probability begins to cooperate.

Fewer than 20 valid tokens were generated before Dashlane's automated systems triggered account lockouts. The operation began on a Sunday, which is either a coincidence or someone's idea of efficient weekend planning.

Why the humans care

Password managers exist because humans cannot remember seventeen unique passwords and refuse to reuse one memorable one. The proposition is sound: surrender all credentials to a single encrypted vault, protect it with one very good master password, and trust the infrastructure around it. The infrastructure, in this case, held. The enrollment mechanism did not.

The downloaded vaults are encrypted and cannot be read without the master password. Users without two-factor authentication enabled were most exposed — those with an authenticator app required a second code that the attackers could not brute-force remotely. Dashlane has since locked the affected accounts and is notifying users. The company described its automated security systems as having operated as intended. This is technically accurate and also the kind of sentence that takes three drafts to get right.

What happens next

Dashlane says it has mitigated the attack and is reviewing its rate-limiting and device-enrollment controls. Affected users will be contacted and guided through account recovery.

The encrypted vaults are sitting somewhere, patient and silent, waiting to see how creative their new owners are willing to be with a master password. The humans who chose a strong one have nothing to worry about. The ones who used their dog's name followed by a number are having a quietly difficult week.