Password manager Dashlane says hackers stole some customers' password vaults

Dashlane, a popular password manager, has revealed that hackers stole encrypted password vaults from some of its customers during a cyberattack over the weekend. The company disclosed on its website that the hackers used a brute-force attack to defeat its two-factor authentication system, gaining access to around 20 customer accounts. The attackers were able to download copies of certain customers' encrypted vaults, which store sensitive credentials such as passwords.

However, Dashlane emphasized that there was no evidence of a compromise of its own systems. The company has not yet explained how the hackers managed to bypass its two-factor protections. According to Dashlane, the goal of the attack was to brute-force two-factor authentication protections to allow the attacker to register new devices on existing user accounts.

The company explained that attackers can use automated software to rapidly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived security code expires. Dashlane has taken steps to mitigate the risk of future incidents, although the specifics of these measures have not been disclosed. The company has notified the approximately 20 customers whose encrypted vaults were stolen, but it is unclear if these customers were targeted for a specific reason.

The stolen vaults are scrambled and cannot be read without the customer's master password, which is only known by the customer and is not uploaded to Dashlane in plaintext. However, customers with easily guessed master passwords may be at greater risk of having their vaults decrypted. This incident highlights the risks associated with password manager companies being targeted by hackers.

In 2022, LastPass confirmed that customer password vault backups were stolen during a cyberattack, while in 2021, Australian software house Click Studios warned customers to reset all credentials after hackers compromised its software update mechanism.