Dashlane Confirms Brute-Force Attack Exposed Encrypted Vaults of Under 20 Users

Password manager Dashlane has disclosed a brute-force security incident in which encrypted password vaults belonging to fewer than 20 personal plan subscribers were downloaded by an unknown threat actor. The attack, which the company confirmed on May 31, 2026, specifically targeted two-factor authentication (2FA) protections on user accounts in an effort to register unauthorized new devices. While the exact number of targeted accounts remains undisclosed, Dashlane reported that the high volume of authentication attempts triggered its built-in security controls, temporarily locking out legitimate users and causing authentication disruptions across its platform.

In a handful of cases, the attackers successfully bypassed 2FA safeguards and were able to exfiltrate a copy of the encrypted vault data. Dashlane emphasized that the stolen vaults remain cryptographically protected by users' Master Passwords, meaning that unless those credentials are weak, reused, or easily guessable, the encrypted data should resist offline cracking attempts. The company also clarified that its internal systems were not compromised during the incident, framing it as a credential-based attack rather than a deeper infrastructure breach. Users can verify whether their credentials have appeared in known exposures by running them through an email breach checker and confirming their Master Password strength with a password checker.

Dashlane has directly notified all affected users, while the broader customer base has been told there is no impact on their accounts. The company has restored access to suspended accounts and is advising all subscribers to review the list of devices currently registered to their Dashlane profile, removing any unrecognized entries, enabling 2FA, and ensuring their Master Password meets modern length and complexity standards. As an added precaution, security teams and individual users alike can run a broader privacy checkup to identify lingering exposures across their digital footprint.

The Dashlane incident underscores a persistent truth in credential security: even robust 2FA implementations can be defeated by sufficiently persistent brute-force campaigns if account-level rate limiting and anomaly detection are not tuned aggressively enough. With master passwords serving as the last line of defense for encrypted vault data, users and enterprise administrators should treat the incident as a reminder to audit authentication policies, enforce strong, unique master credentials, and monitor account activity for the kind of suspicious registration attempts that preceded this breach.