How Attackers Downloaded Encrypted Dashlane Password Vaults
▼ Summary
– Attackers launched a coordinated campaign targeting Dashlane users, attempting to download encrypted password vaults by abusing the new-device enrollment process.
– The threat actor installed the Dashlane app on many devices and used them to send enrollment requests to users’ registered email addresses.
– Dashlane’s automated security systems triggered account lockouts in response to the brute force attack on device registration API endpoints.
– Before the attack was fully mitigated, the threat actor brute-forced valid tokens for fewer than 20 personal plan customers, allowing them to register devices and download encrypted vaults.
– Encrypted vaults remain unreadable without the user’s master password, which acts as the decryption key.
A coordinated hacking campaign recently targeted Dashlane users, aiming to steal encrypted password vaults. The password manager provider confirmed that attackers succeeded in downloading fewer than 20 personal user vaults before the operation was shut down.
The unknown threat actor launched the campaign last Sunday by exploiting the feature that allows users to add new devices, such as phones or computers, to their accounts. After installing the Dashlane app on numerous devices, the attackers used them to send enrollment requests to existing users’ registered email addresses. In a security update published Thursday, Dashlane detailed the attack:
“The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints. In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.”
How the attack unfolded
When a user installs the Dashlane app on a new device and tries to enroll it in an existing account, Dashlane first verifies the account holder’s identity. This verification typically involves sending a one-time six-digit token to the user’s registered email address. For users with two-factor authentication enabled, a six-digit code from their authentication app is required instead.
To complete registration, the user must enter this code into the Dashlane application. Only then does Dashlane approve the enrollment and send a copy of the encrypted vault to the new device. The vault content remains unreadable until the user enters their master password, which acts as the decryption key. As Dashlane explains in its security documentation, the one-time password must be entered on the new, enrolling device for registration to succeed.
(Source: Ars Technica)
