Password manager provider Dashlane has confirmed that hackers successfully brute-forced its two-factor authentication system over the weekend, gaining unauthorized access to approximately 20 customer accounts and downloading their encrypted password vaults in the process.
According to Dashlane's incident disclosure, the attack was specifically designed to defeat 2FA protections and register new devices on existing user accounts -- a technique that bypassed the second authentication layer outright rather than attempting to crack vault encryption directly. Once device registration was completed, attackers were able to download the encrypted vault data associated with the compromised accounts.
Dashlane clarified that there is no evidence its core backend infrastructure was compromised. The attack appears to have been a targeted credential-based operation rather than a systemic breach of Dashlane's servers or databases. However, the company has not yet disclosed the specific technical mechanism by which attackers defeated its 2FA controls -- a critical detail that security researchers and affected customers are pressing to understand.
The vaults themselves remain encrypted and would require master passwords to decrypt. However, the attack raises serious questions about the resilience of software-based 2FA under sustained brute-force pressure. Dashlane stated it has taken steps to prevent similar incidents but stopped short of describing those mitigations in technical detail.
The incident follows a string of high-profile attacks targeting credential managers and identity providers in recent years. Security researchers have responded by intensifying calls for broader adoption of hardware security keys using FIDO2 and WebAuthn standards, and passkeys, as more structurally resistant alternatives to time-based one-time password 2FA. While Dashlane characterized the scope as limited, experts note that a single compromised password vault can expose hundreds of credentials across enterprise systems, cloud services, and personal accounts.
Dashlane has begun notifying affected customers directly and said it is cooperating with relevant authorities. The company has also temporarily tightened device registration controls as a precautionary measure while its investigation continues.
Why It Matters
This incident is a direct challenge to the assumption that software-based 2FA provides strong enough account security for sensitive credential stores. Any enterprise using TOTP-based 2FA to protect VPN access, admin portals, password vaults, or cloud infrastructure should treat this as a forcing function for reviewing its authentication policy. Hardware security keys and passkey adoption are no longer edge-case best practices -- they are increasingly the baseline that security-conscious organizations need to move toward.