The Dashlane 2FA Breach: What Happened, Why It Worked, and What You Can Do | Cloudless Software
← All Articles
Cybersecurity<br>The Dashlane 2FA Breach: What Happened, Why It Worked, and What You Can Do
On May 31, attackers brute-forced Dashlane’s TOTP-based two-factor authentication and downloaded encrypted vaults. Here is how the attack worked, what it reveals about the different types of multifactor authentication, and why some architectures are not vulnerable to this kind of attack at all.
June 6, 2026•Cloudless Software•12 min read
Anything that can be hacked will be hacked. When millions of accounts store data on a single service it creates a centralized attack point and the data becomes a target. The primary protection method beyond the password is two-factor authentication (2FA). Over the past fifteen years MFA has been exploited with many varied attacks including SIM swapping, real-time phishing proxies, MFA fatigue bombing, and session cookie theft among others. On May 31, 2026, an attacker brute-forced Dashlane’s six-digit 2FA code, downloaded encrypted vaults, and opened them because they already had the master passwords.
Dashlane’s encryption held, their infrastructure was not breached, and they detected the attack and shut it down. But when millions of vaults sit behind a single server and the only lock on the door is a six-digit number that changes every thirty seconds, it was only a matter of time before someone built a bot that guesses faster.
Here is how it worked, what it means for 2FA, and what you can do about it.
The Attack Chain
Step 1: Credential Stuffing
The attackers obtained Dashlane users’ email addresses and master passwords from breaches of other services. These users had reused their Dashlane master password, the one key that protects their entire vault, on another site that was compromised. The attackers did not hack Dashlane to get these passwords. They already had them.
Step 2: TOTP Brute Force
With valid email and password in hand, the attackers hit Dashlane’s device registration endpoint. The only remaining barrier was the six-digit TOTP code. Six digits means one million possible combinations. A new code is generated every thirty seconds. Automated software submitted guesses at scale until the correct code was found before it expired.
Step 3: Device Registration
Once the TOTP code was accepted, the attacker’s device was registered as authorized on the user’s account. Dashlane’s server delivered the encrypted vault for download, exactly as it would for any newly authorized device.
Step 4: Vault Decryption
The vault is encrypted with the master password. The attacker already has the master password from the credential stuffing step. The encryption is bypassed. The vault is open.
Dashlane reported that fewer than twenty accounts were affected, that no internal systems were compromised, and that the attack was detected and blocked. That is all accurate. The system worked as designed. The server authenticated a request, verified a 2FA code, and served the vault. The real question is whether a six-digit code checked by a server is strong enough to be the last line of defense between an attacker and an encrypted vault.
How Multifactor Authentication Works
Every form of two-factor authentication exists for the same reason: to protect access to a centralized server. A password alone is not enough because passwords get leaked, reused, and stolen. So the industry added a second factor, something beyond the password that the server checks before granting access. The strength of that second factor varies widely, but the purpose is always the same: convince the server you are who you say you are.
Not all second factors are created equal. Here are the most common types in use today, from weakest to strongest:
SMS Codes
A numeric code sent via text message. Vulnerable to SIM swapping, SS7 interception, and social engineering at the carrier level. Still better than no second factor, but widely considered the weakest option. NIST has recommended against SMS-based authentication for sensitive accounts since 2017.
TOTP (Time-Based One-Time Passwords)
A six-digit code generated by an authenticator app like Google Authenticator, Authy, or Microsoft Authenticator. The code rotates every 30 seconds. Stronger than SMS because it cannot be intercepted in transit, but it is still a six-digit number with one million possible values, and the server verifies it. This is what was brute-forced in the Dashlane attack. The defense against brute force is rate limiting on the server side.
Push Notifications
The service sends a prompt to your phone asking you to approve or deny a login attempt. Stronger than TOTP because there is no code to guess, but vulnerable to “MFA fatigue” attacks where the attacker floods the user with approval requests until they tap “approve” to make it stop. This is how...