Overview
- Dashlane found that an unknown actor abused its device‑registration API and used a large-scale brute‑force '2FA spraying' method to generate valid enrollment tokens and register new devices.
- The campaign began on May 31 and triggered automatic account lockouts while Dashlane investigated, but before containment fewer than 20 personal‑plan users had copies of their encrypted vaults downloaded.
- Dashlane says there is no evidence its internal systems were breached and that it has contacted every impacted customer and implemented network and product mitigations.
- The copied vaults remain encrypted and require each user’s master password to decrypt, so weak or commonly used master passwords could allow attackers to crack data over time.
- Users criticized Dashlane’s early communications for lacking detail, and the company plans to add extra verification to device enrollment and urges users to enable strong master passwords and two‑factor authentication.