Dashlane has confirmed that attackers downloaded encrypted password vaults from fewer than 20 user accounts during a brute-force campaign against the password manager — resolving the central open question from initial reporting published the previous day, which noted account suspensions but could not confirm whether vault files had been accessed.
Vault Downloads Now Confirmed
Yesterday’s reporting established that Dashlane had suspended a number of accounts following a detected attack but had not confirmed whether the attackers reached encrypted vault content. That picture has now changed. Dashlane’s investigation confirmed that vault files were downloaded from a small number of accounts, making this a material escalation from the initial disclosure.
The company states that no internal Dashlane systems were compromised during the attack. The intrusion was limited to the targeted user accounts, which Dashlane’s security systems automatically locked during the attack before restoring them following investigation.
2FA Code Brute-Force as the Attack Vector
The specific technique used to reach the vault files is technically distinct from the credential stuffing and phishing methods more commonly associated with password manager attacks. Automated software was used to rapidly iterate numeric two-factor authentication codes against targeted accounts. The goal of that iteration was not to log in directly but to register an unauthorized device.
Dashlane’s architecture allows a new device to download a user’s encrypted vault once it has been authorized — a feature that enables legitimate users to access their credentials from multiple machines. By successfully guessing a valid 2FA code, attackers could register a device under their control as an authorized recipient, at which point Dashlane’s servers would distribute the encrypted vault file to that device as a normal function of the platform.
Encrypted Content Remains Protected
The vault files downloaded during the attack are encrypted with each user’s master password. Dashlane’s architecture is designed so that master passwords are never transmitted to or stored by the company — a design that means the downloaded vault files cannot be decrypted without the master password held by the account owner. Dashlane states that brute-forcing the master password is statistically unlikely given the encryption scheme applied to vault contents.
The practical implication is that the attackers obtained files that contain credentials, but those files remain locked without information that Dashlane does not hold and that was not obtained during the attack.
Scope and Response
Fewer than 20 accounts had vaults downloaded — a narrow scope relative to Dashlane’s user base, but significant for the individuals whose accounts were affected. The restricted count likely reflects the resource-intensive nature of the attack method: successfully iterating 2FA codes against a specific account requires sustained automated effort against that account’s authentication endpoint, which limits how many accounts can be targeted simultaneously before detection systems respond.
Dashlane’s automatic account locking during the attack indicates the activity was flagged by the platform’s anomaly detection before the campaign could expand further. All affected accounts have since been restored following Dashlane’s investigation.
Novel Technique Against Cloud-Backed Password Managers
The attack methodology documented here — brute-forcing 2FA numeric codes to register unauthorized devices and trigger vault distribution — represents a category of threat that differs structurally from more familiar password manager attack scenarios. Credential stuffing requires reusing passwords from prior breaches. Phishing requires user interaction. The technique used against Dashlane requires neither: it operates entirely against the authentication layer of the platform without user involvement.
Cloud-backed password managers distribute vault files to authorized devices as an architectural feature. That design choice, which enables the cross-device accessibility that makes these products useful, also creates an attack surface that does not exist in locally stored password vault models. An attacker who can fraudulently pass device authorization gains access to the vault distribution mechanism that legitimate users rely on.
The investigation remains ongoing. Users whose accounts were among the fewer than 20 affected have been notified. The confirmed vault downloads — while limited in scope — mark a concrete advancement in the attackers’ achieved objectives compared to what initial reporting could verify.
