Dashlane confirms hackers stole some customer password vaults
▼ Summary
– Hackers breached Dashlane’s two-factor authentication system, gaining access to about 20 customer accounts and downloading encrypted password vaults.
– The attack involved brute-forcing two-factor authentication codes to register new devices on user accounts.
– Dashlane has not found evidence its own systems were compromised and has not explained how the 2FA was defeated.
– The stolen vaults are encrypted and require the customer’s master password to access, but weak master passwords increase decryption risk.
– Dashlane notified the affected customers, and it is unclear if the victims were specifically targeted or if the hackers made ransom demands.
Over the weekend, hackers managed to bypass Dashlane’s two-factor authentication and make off with encrypted password vaults belonging to roughly two dozen customers. The company confirmed the breach, stating that the attackers used a brute-force technique to defeat the security layer designed to prevent unauthorized access.
According to a statement on Dashlane’s incident page, the hackers successfully targeted about 20 user accounts. Once inside, they downloaded copies of those customers’ encrypted vaults, which contain stored passwords and other sensitive login credentials. The company emphasized that its own internal systems were not compromised, though it has yet to explain exactly how the attackers cracked the two-factor protections.
Two-factor authentication is a standard security measure that requires a second code, typically sent to a user’s phone, in addition to a username and password. Dashlane described the attack as an effort to “brute-force two-factor authentication (2FA) protections,” allowing the intruder to register new devices on existing accounts. The company explained that attackers can use automated software to rapidly cycle through numeric combinations, hoping to guess the correct code before it expires.
Dashlane noted that it has “taken steps to mitigate the risk of future incidents,” but did not specify what those steps are. The affected customers have been notified, though it remains unclear whether they were specifically targeted due to their roles or identities. The company did not respond to requests for comment, and it has not disclosed whether the hackers made any demands, such as a ransom.
The stolen vaults are encrypted and cannot be read without the customer’s master password, which Dashlane says is never stored in plaintext on its servers. However, the company warned that users with weak or easily guessed master passwords face a greater risk of their vaults being decrypted.
Breaches involving password managers are infrequent, but they can have serious long-term consequences. In 2022, LastPass suffered a similar incident where hackers stole encrypted vault backups. Because early customers had weaker password requirements, some vaults were cracked, leading to reports of stolen cryptocurrency. A year earlier, Passwordstate maker Click Studios urged all users to reset their credentials after hackers compromised its update system to distribute malware.
(Source: TechCrunch)
