Dashlane explains how attackers managed to download encrypted password vaults Dashlane experienced a coordinated hacking campaign that targeted its users’ encrypted password vaults by exploiting a device enrollment mechanism. Attackers used brute force on API endpoints, sending a large volume of automated requests to register new devices on numerous accounts simultaneously. Although fewer than 20 personal user vaults were downloaded before the operation was shut down, users are advised to change their master passwords as a precaution.

• Attackers launched a coordinated hacking campaign against Dashlane users to download encrypted password vaults.
• The attackers abused the device enrollment mechanism by sending automated requests to Dashlane’s API endpoints.
• The tactic involved brute-forcing one-time codes for new device registrations across a large number of accounts.
• Fewer than 20 personal user vaults were downloaded before Dashlane’s automated security systems mitigated the attack.
• Users must still crack the master password to decrypt the downloaded vaults, a process made difficult by the Argon2 algorithm.
• Dashlane has contacted affected users and states that unaffected users do not need to take action.
• The company advises changing master passwords for downloaded vaults, even though the chance of decryption is small.
• The incident has similarities to the 2022 LastPass breach. Continue reading https://arstechnica.com/security/2026/06/dashlane-explains-how-attackers-managed-to-download-encrypted-password-vaults/