Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users."

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 12:01:01 GMT

briankrebs@infosec.exchange — Wed, 03 Jun 2026 12:01:01 GMT

@dalias You got it. Put that dusty old bitcoin mining botnet to work on it!

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:54:05 GMT

dalias@hachyderm.io — Wed, 03 Jun 2026 11:54:05 GMT

@briankrebs Ahhh, that makes sense. So if they have strong passphrases, nothing. But if weak, crackable offline with big resources.

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:51:02 GMT

briankrebs@infosec.exchange — Wed, 03 Jun 2026 11:51:02 GMT

@dalias They got access to 20 encrypted vaults. They'd still have to work out the master password for those targeted accounts. Theoretically, that could be done offline, as happened w/ the breach at LastPass, but it took many months for a lot of those stolen vaults to be cracked.

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:49:30 GMT

dalias@hachyderm.io — Wed, 03 Jun 2026 11:49:30 GMT

@briankrebs "gained access to the encrypted password vaults" sounds like they weren't encrypted.

Unless they mean the attackers only gained access to what amounts to random bits.

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:48:48 GMT

gareth@tenforward.social — Wed, 03 Jun 2026 11:48:48 GMT

@shironeko @briankrebs
If they knew the master password then the whole vault is compromised as they got an encrypted offline copy of that too

Terrifying.

I eagerly await updates on this as more facts are discovered…

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:43:24 GMT

pl@cosocial.ca — Wed, 03 Jun 2026 11:43:24 GMT

@briankrebs brute-forcing 2FA? Like they brute-forced the 2FA codes? There was no rate limiting? No failure after N tries? That's not really better

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:37:41 GMT

netzblockierer@tech.lgbt — Wed, 03 Jun 2026 11:37:41 GMT

@briankrebs the fact that Dashlane allowed 2FA to be brute forced instead of raising timeouts and warning users is what worries me.

Tho granted, what else did I expect from a proprietary SaaS-only "solution" that literally infringed on John Deere's logo in the past (which I presume was the reason they changed their logo some time ago!)…

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:37:35 GMT

shironeko@fedi.tesaguri.club — Wed, 03 Jun 2026 11:37:35 GMT

@briankrebs @koehntopp I could imagine one scenario where if they allow adding a second device base on only 2fa (stupid) then you can try a lot of users and someone will be hit just by chance and the rate limit would not apply.

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:36:51 GMT

koehntopp@infosec.exchange — Wed, 03 Jun 2026 11:36:51 GMT

@briankrebs
Well, there's a recent surge of sites where the default after entering your email is you're being sent a code to that email - THAT is something that would not require knowing the password, but it's also not 2FA (well, not as we'd use that word, anyway)

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:36:05 GMT

tony@toot.hoyle.me.uk — Wed, 03 Jun 2026 11:36:05 GMT

@briankrebs Is their 2FA not normal 2FA then? I'd expect a 6 digit code that changed every 30 seconds or so.. brute forcing that would be incredibly unlikely.

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:35:14 GMT

briankrebs@infosec.exchange — Wed, 03 Jun 2026 11:35:14 GMT

@koehntopp I had the same question. Seems to me, the only way brute-force is useful as an attack is if you can by default try a large number of possible combinations at once, but they're saying that rate limiting was what caused the affected accounts to get locked out the other day. Something isn't adding up.

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:33:50 GMT

shironeko@fedi.tesaguri.club — Wed, 03 Jun 2026 11:33:50 GMT

@briankrebs hmm I'm not familiar with how dashlane works, but how did they reach 2fa? I guess their
master password was weak?

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:32:53 GMT

koehntopp@infosec.exchange — Wed, 03 Jun 2026 11:32:53 GMT

@briankrebs
Brute force 2FA...?

That does not sound like something that should be successfully possible? Wouldn't you have to know the password before that, too?

Reply to Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." on Wed, 03 Jun 2026 11:28:16 GMT

troed@swecyb.com — Wed, 03 Jun 2026 11:28:16 GMT

@briankrebs Brute forcing 2FA seems a bit strange. Never used Dashlane though so I have no idea what methods they might be using. REST endpoint that allows an unlimited amount of 6 digit tries?

I'm _so_ curious as to how they've managed this.