Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users."
-
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs Brute forcing 2FA seems a bit strange. Never used Dashlane though so I have no idea what methods they might be using. REST endpoint that allows an unlimited amount of 6 digit tries?
I'm _so_ curious as to how they've managed this.
-
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs
Brute force 2FA...?That does not sound like something that should be successfully possible? Wouldn't you have to know the password before that, too?
-
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs hmm I'm not familiar with how dashlane works, but how did they reach 2fa? I guess their
master password was weak? -
@briankrebs
Brute force 2FA...?That does not sound like something that should be successfully possible? Wouldn't you have to know the password before that, too?
@koehntopp I had the same question. Seems to me, the only way brute-force is useful as an attack is if you can by default try a large number of possible combinations at once, but they're saying that rate limiting was what caused the affected accounts to get locked out the other day. Something isn't adding up.
-
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs Is their 2FA not normal 2FA then? I'd expect a 6 digit code that changed every 30 seconds or so.. brute forcing that would be incredibly unlikely.
-
R relay@relay.publicsquare.global shared this topic
-
@koehntopp I had the same question. Seems to me, the only way brute-force is useful as an attack is if you can by default try a large number of possible combinations at once, but they're saying that rate limiting was what caused the affected accounts to get locked out the other day. Something isn't adding up.
@briankrebs
Well, there's a recent surge of sites where the default after entering your email is you're being sent a code to that email - THAT is something that would not require knowing the password, but it's also not 2FA (well, not as we'd use that word, anyway) -
@koehntopp I had the same question. Seems to me, the only way brute-force is useful as an attack is if you can by default try a large number of possible combinations at once, but they're saying that rate limiting was what caused the affected accounts to get locked out the other day. Something isn't adding up.
@briankrebs @koehntopp I could imagine one scenario where if they allow adding a second device base on only 2fa (stupid) then you can try a lot of users and someone will be hit just by chance and the rate limit would not apply. -
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs the fact that Dashlane allowed 2FA to be brute forced instead of raising timeouts and warning users is what worries me.
- Tho granted, what else did I expect from a proprietary SaaS-only "solution" that literally infringed on John Deere's logo in the past (which I presume was the reason they changed their logo some time ago!)…
-
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs brute-forcing 2FA? Like they brute-forced the 2FA codes? There was no rate limiting? No failure after N tries? That's not really better
-
@briankrebs hmm I'm not familiar with how dashlane works, but how did they reach 2fa? I guess their
master password was weak?@shironeko @briankrebs
If they knew the master password then the whole vault is compromised as they got an encrypted offline copy of that tooTerrifying.
I eagerly await updates on this as more facts are discovered…
-
RE: https://infosec.exchange/@briankrebs/116670688015956223
Dashlane posted an update saying hackers brute-forced its two-factor authentication system, and gained access to the encrypted password vaults for "fewer than 20 personal plan users." Dashlane said there was no evidence of a hack of its own systems, but it hasn't shared yet why or how that 2FA was compromised. The company said “the goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” and that it has already notified affected users.
@briankrebs "gained access to the encrypted password vaults" sounds like they weren't encrypted.
Unless they mean the attackers only gained access to what amounts to random bits.
-
@briankrebs "gained access to the encrypted password vaults" sounds like they weren't encrypted.
Unless they mean the attackers only gained access to what amounts to random bits.
@dalias They got access to 20 encrypted vaults. They'd still have to work out the master password for those targeted accounts. Theoretically, that could be done offline, as happened w/ the breach at LastPass, but it took many months for a lot of those stolen vaults to be cracked.
-
@dalias They got access to 20 encrypted vaults. They'd still have to work out the master password for those targeted accounts. Theoretically, that could be done offline, as happened w/ the breach at LastPass, but it took many months for a lot of those stolen vaults to be cracked.
@briankrebs Ahhh, that makes sense. So if they have strong passphrases, nothing. But if weak, crackable offline with big resources.
-
@briankrebs Ahhh, that makes sense. So if they have strong passphrases, nothing. But if weak, crackable offline with big resources.
@dalias You got it. Put that dusty old bitcoin mining botnet to work on it!
-
R relay@relay.infosec.exchange shared this topicR relay@relay.an.exchange shared this topic
