- Dashlane confirmed a hacker accessed encrypted vaults by brute‑forcing its device registration.
- On June 4, 2026 the company released a security advisory describing a flaw in the device‑registration flow. The bug allowed an attacker to submit repeated registration attempts until the system accepted a forged device token. Once registered, the adversary could retrieve the user’s encrypted vault data. Dashlane said the attacker never obtained the master‑password, but could still attempt offline cracking. The company has patched the registration endpoint and forced a password reset for all affected accounts. No specific number of users was disclosed.
- The incident matters because it shows that even well‑funded password managers can leak data through peripheral processes, not just the core vault. Users may need to reassess the assumptions they make about end‑to‑end encryption when a service’s supporting code is weak.
- While the breach did not expose plain‑text passwords, it underlines the importance of scrutinising every layer of a security product, not just the headline‑selling features.