RSS

Dashlane explains how attackers managed to download encrypted password vaults

Bender1 pts0 comments

Dashlane explains how attackers managed to download encrypted password vaults - Ars Technica

Skip to content

AI

Biz & IT

Cars

Culture

Gaming

Health

Policy

Science

Security

Space

Tech

Forum

Subscribe

Story text

Size

Small<br>Standard<br>Large

Width

Standard<br>Wide

Links

Standard<br>Orange

* Subscribers only

Learn more

Pin to story

Theme

Search

Sign In

Sign in dialog...

Text<br>settings

Story text

Size

Small<br>Standard<br>Large

Width

Standard<br>Wide

Links

Standard<br>Orange

* Subscribers only

Learn more

Minimize to nav

Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible. The password manager provider said fewer than 20 personal user vaults were downloaded before it shut down the operation.

In a campaign that started Sunday, the unknown threat actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane’s programming interfaces for device enrollment, the attackers sent requests to large numbers of existing users’ registered email addresses. In an update published Thursday, Dashlane wrote:

The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.

In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.

The flow and strategy of the attack

When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane first verifies the account holder’s identity. This verification is completed by sending a one-time six-digit token to the user’s registered email address (or, for users who have enabled two-factor authentication, by validating a six-digit code generated by their authentication app).

For the registration to succeed, the user must enter this code into the Dashlane application. At this point, Dashlane will approve the enrollment and send a copy of the encrypted vault to the device. Vault contents remain unreadable until the user enters the master password, which acts as a decryption key. As Dashlane explains in its security documentation, the one-time password must be entered on the new, enrolling device for the registration to be successful.

Brute-forcing the one-time code for a single account—meaning iterating through every possible combination until the right one is entered—would be little more than a fool’s errand, even within the three-hour window that the codes remained valid. With 1 million possible valid codes, the attackers would have to cycle through a statistically significant percentage within that period. Rate limiting, in which a set number of requests are allowed per account, would also lock out the account.

To improve their odds, the attackers sent requests to register new devices across a large number of accounts. Then they simultaneously entered the one-time codes into each of them. In theory, attacking two accounts this way increased the odds for each try to 1 in 500,000. Attacking 1,000 accounts would increase the odds to 1 in 1,000, and so on. The more accounts that were targeted, the better the chances one of them will fall. The economics of password spraying work similarly. The technique also weakens rate limiting because the large number of attempts is spread out, limiting the number hitting any single account.

Ultimately, the 2FA spraying attack managed to hit the right combination on fewer than 20 user accounts, according to Dashlane, before it was shut down. The company said it has contacted all those users and that any user who has not already received a notification is unaffected.

For attackers to obtain the decrypted vault contents for those accounts, they would still have to crack the master password. Dashlane makes this process difficult by using an algorithm known as Argon. It dramatically slows down and intensifies the process of converting the plain-text master password into a cryptographic hash. In turn, entering large numbers of guesses requires a tremendous amount of time and computing resources, even when the cracking is performed using GPUs or special-purpose hardware.

That means the chances of the attackers decrypting one of the encrypted vaults they obtained is very small in the event the master password was strong, meaning long, randomly generated, and has high entropy. However, not everyone uses such master passwords. In the event the master password was included in word lists exchanged by password crackers, the chances of success would be higher,...

dashlane password accounts attackers large users

Related Articles

The Newest Instagram "Exploit" Is the Goofiest I've Seen

ssiddharth34 ptsaccount attacker email instagram seen like

It's Not Just X. It's Y

mooreds21 ptslanguage model writing like grammarly human

Amazon, Facebook, FBI have access to a private intelligence-sharing network

root-parent18 ptsseattle prism shield network private intelligence

Show HN: GoPeek – open links in live mini browser windows without new tabs

GeorgeWoff2518 ptsgopeek open browser links live mini

Agent Memory: An Anatomy

brgsk17 ptsmemory library user agent semantic libraries
terms · privacy · disclaimer · contact · policy
© 2026 NewsHub. All rights reserved.
This site is for informational purposes only. Content is aggregated from publicly available sources. We may earn commissions through affiliate links. Not affiliated with Y Combinator or Hacker News.