Dashlane warns 20 encrypted vaults stolen in opaque advisory

A security advisory published by password manager Dashlane on Monday has raised more questions than answers, revealing that attackers successfully accessed 20 encrypted user vaults. The company stated that the breach stemmed from a targeted brute-force assault beginning on May 31, 2026.

According to Dashlane, the threat actor focused on circumventing two-factor authentication (2FA) to register new devices on compromised accounts. The advisory explains that a high volume of login attempts triggered automatic account lockouts to protect users.

Yet the explanation has left many scratching their heads. Across social media, users are struggling to grasp how such an attack could succeed. Standard 2FA codes are typically six-digit numbers generated by authenticator apps or sent via SMS or email, rotating every 30 to 45 seconds. Brute-forcing a six-digit code involves trying all 1 million possible combinations within that tight window.

While it is theoretically possible to bombard a server with that many guesses in under a minute, it is far from typical. Dashlane did not explicitly confirm whether it enforces rate limits on 2FA submissions, though the advisory hints at such protections: “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” Even without rate limiting, receiving over 150,000 authentication requests in less than 60 seconds would likely overwhelm most server infrastructures.

The lack of clarity from Dashlane has fueled skepticism, leaving users to wonder how 20 vaults were ultimately compromised despite the company’s security measures.