Dashlane Hackers Stole 20 Encrypted Vaults via 2FA Brute-Force

Key Takeaways

• Hackers brute-forced Dashlane's 2FA system to access about 20 customer accounts and download their encrypted vaults
• Stolen vaults remain encrypted and require each user's master password to decrypt
• Users with weak master passwords face the highest risk of having their vault contents exposed

What Happened

Password manager Dashlane confirmed that hackers stole encrypted vaults from about 20 customer accounts during a cyberattack between May 31 and June 2, 2026. The attackers did not breach Dashlane's central infrastructure. Instead, they targeted individual accounts by brute-forcing the company's two-factor authentication system.

Two-factor authentication normally stops attackers who have stolen a username and password. It requires a second code, usually sent to the account holder's phone. Dashlane says the hackers used automated software to rapidly guess these short-lived codes before they expired.

“The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”

— Dashlane

By defeating 2FA, the attackers registered their own devices to victim accounts. This let them download copies of the encrypted vaults, which store passwords and other sensitive credentials.

Are the Stolen Vaults Safe?

Dashlane uses a zero-knowledge architecture. This means the company never sees your master password in plaintext. The stolen vaults are scrambled and cannot be read without each customer's unique master password.

“Even with the vault file in hand, without the user's unique Master Password, the data remains computationally infeasible to decrypt for any standard attacker.”

— Cybersecurity Analyst, Industry Security Forum

The catch: customers who chose weak or easily guessed master passwords face real risk. Attackers can run offline brute-force attacks against the encrypted vault files. If your master password is "password123" or your pet's name, the encryption won't protect you for long.

The LastPass Warning

This isn't the first time a password manager breach has put users at risk. In 2022, LastPass confirmed that hackers stole customer vault backups during a cyberattack. Those vaults were also encrypted with user master passwords.

The problem: early LastPass customers had weaker password requirements. Hackers were able to brute-force some of those master passwords. Multiple reports have since linked stolen LastPass vaults to large cryptocurrency thefts. Attackers likely cracked weak master passwords and extracted private keys stored in the vaults.

Dashlane customers now face a similar question. If you've been using the service since before it enforced stronger password requirements, your master password may not be strong enough to withstand a determined offline attack.

What Dashlane Isn't Saying

Dashlane has not explained how attackers were able to brute-force 2FA codes successfully. Standard rate-limiting should prevent automated systems from submitting thousands of guesses before a code expires. The company says it has "taken steps to mitigate the risk of future incidents" but won't specify what those steps are.

The company also hasn't said whether the 20 affected customers were targeted for a specific reason, such as their profession or public profile. Spokespeople did not respond to requests for comment about whether hackers made ransom demands.

Dashlane has locked the affected accounts and notified those customers directly.

What You Should Do Now

1. Review your authorized devices in Dashlane's settings. Remove any you don't recognize.
2. Change your master password to something long and random. A four-word passphrase is better than a short complex password.
3. Consider using a hardware security key like YubiKey for 2FA. These can't be brute-forced remotely.
4. If you stored cryptocurrency keys or high-value credentials in your vault, move them to a new wallet or regenerate them.

Community Reaction

On Hacker News, the discussion centers on why SMS and app-based 2FA remain vulnerable to brute-forcing when rate limiting isn't aggressive enough. Several commenters are calling for password managers to mandate hardware security keys.

Reddit's r/Privacy community is frustrated by Dashlane's lack of transparency. Users want to know exactly how the 2FA bypass worked. Others are treating the incident as a reminder that a strong master password matters more than any secondary security layer.

Frequently Asked Questions

Were Dashlane's servers hacked?

No. Dashlane says there was no evidence of compromise to its central systems. Attackers targeted individual customer accounts by brute-forcing two-factor authentication.

Can hackers read my stolen Dashlane vault?

Not without your master password. The vault is encrypted, and Dashlane uses zero-knowledge architecture. But if your master password is weak, attackers can brute-force it offline.

How do I know if my Dashlane account was affected?

Dashlane says it has directly notified all 20 customers whose vaults were stolen. If you haven't received a notification, your account was not among those accessed.

Should I stop using Dashlane?

That's a personal decision. The breach was limited to 20 accounts. If you use a strong master password and hardware 2FA, your risk is low. But the lack of transparency about how 2FA was bypassed is concerning.

What's the best way to protect my password manager account?

Use a long, random master password (a four-word passphrase works well). Enable hardware security key authentication if available. Review your authorized devices regularly.

Source: TechCrunch / Zack Whittaker