Dashlane Says Attackers Stole Encrypted Password Vaults of Under 20 Users
The incident confirms that even with zero-knowledge architecture and strong encryption, the device registration flow can be exploited to exfiltrate encrypted vaults, though the small number of affected users and Dashlane's encryption claims limit the practical risk.
Reporting from 1 sources: GIGAZINE.
On May 31, 2026, Dashlane suffered a brute force attack targeting specific user accounts. Attackers bypassed two-factor authentication and registered new devices, downloading encrypted password vaults for fewer than 20 individual plan users. Dashlane locked affected accounts, restored access, and says the vaults' encryption makes decryption statistically improbable without the master password.
Dashlane disclosed on June 5 that a brute force attack on May 31 targeted the device registration API endpoint, allowing attackers to register new devices on existing accounts after bypassing two-factor authentication. The attackers downloaded encrypted password vaults for fewer than 20 individual plan users. Dashlane's automated system locked the targeted accounts, and access has been restored. The company says the vaults use Argon2, AES-256-CBC, and HMAC-SHA256 encryption, and that without the master password-which Dashlane does not store-decryption is statistically infeasible even over an extended period. Dashlane has blocked the threat actor's traffic and implemented additional security measures. The investigation concluded on June 4 with no evidence of impact on internal systems or additional user accounts.
Synthesized by Yomimono from the 1 cited source below, including Japanese-language reporting where cited, then editorially reviewed before publishing.