Password manager Dashlane has disclosed details of a targeted attack in which threat actors successfully downloaded fewer than 20 encrypted user vaults before the company's automated defenses kicked in and shut down the operation. The disclosure, published this week, gives a technical breakdown of how attackers exploited the platform's device enrollment mechanism to carry out the campaign.
According to Dashlane, the attack began on a Sunday when an unknown threat actor began systematically abusing the API endpoints that allow users to register new devices on their accounts. The process normally works by sending a one-time, six-digit verification token to the account holder's registered email address. Attackers used a brute-force approach, flooding the API with automated requests, to guess valid tokens and generate authentication credentials for accounts that were not theirs.
The sheer scale of the automated targeting explains why even a small success rate was enough to produce results. By casting a wide net across a large number of users, the attackers increased the statistical probability of stumbling upon a valid token combination. Dashlane said the operation only resulted in fewer than 20 personal plan customer vaults being downloaded, and those vaults remain encrypted with the account holder's master password, meaning any data inside is theoretically useless without that key.
Dashlane's automated security systems detected the abnormal request patterns and triggered account lockouts before the campaign could gain further traction. The company said those controls operated as intended during the incident. Affected customers have been notified.
Why It Matters
This incident highlights the persistent vulnerability of device-enrollment and account-recovery workflows in cloud-based password managers. Even with strong encryption in place, a misconfigured or rate-limit-free API endpoint can serve as an entry point. The attack required no stolen master passwords and no phishing, just patience and automation pointed at a public-facing endpoint.
For enterprise security teams, the lesson is clear: API rate limiting, brute-force detection, and anomaly-based alerting on authentication flows are not optional features. They are the last line of defense when credential management tools become targets. Dashlane's transparency in publishing the technical details of this attack gives the broader security community a concrete case study in how modern password managers can be probed at scale.
Users who rely on Dashlane or any similar service should ensure their master password is unique, complex, and not stored anywhere else. Enabling a hardware security key or passkey-based two-factor authentication adds a layer that no brute-force token campaign can bypass, and it remains one of the most effective security controls available to individual and enterprise users alike.