Hackers cracked Dashlane’s two‑factor login and walked away with encrypted vaults.
Dashlane said an external attacker began brute‑forcing its 2FA system on May 31. The effort succeeded on fewer than 20 personal‑plan accounts, allowing the hacker to download copies of the users’ encrypted password vaults. The attack triggered automatic lockouts on a broader set of targets, stopping further attempts.
The breach shows that 2FA is not a silver bullet for password‑manager security. Even though the vaults remain encrypted, attackers now hold the ciphertext and can invest time in offline cracking. Users of any password manager should treat 2FA as a hurdle, not a guarantee, and consider additional safeguards such as hardware tokens and unique master passwords.
While the number of affected accounts is small, the incident underscores the need for continuous monitoring and stronger rate‑limiting on authentication flows.