Son Dakika
INUS Strikes Iranian Targets After Ships Attacked Off OmanITGuerra Iran, raid Usa dopo attacchi iraniani su navi nello stretto di Hormuz. LIVEBRIdoso desaparece após caminhada de rotina em bairro de Boituva (SP)EUUS Launches New Strikes Against Iran Amid Ceasefire StrainBRSegundo suspeito de matar motorista de app a tiros em Rio Preto é detidoINCandace Owens-Andrew Kolvet feud escalates over Charlie Kirk's legacyBRHomem que ofereceu 'noite de pizza' para atrair adolescente é preso por estupro no DFRUСпецпосланник Трампа и Кушнер могут посетить МосквуARالاتحاد الأوروبي يسعى لحماية الوصول للذكاء الاصطناعي المتقدم وسط قيود أمريكيةRUГендиректор МАГАТЭ Рафаэль Гросси: в случае избрания генсеком ООН будет вести диалог со всемиINUS Strikes Iranian Targets After Ships Attacked Off OmanITGuerra Iran, raid Usa dopo attacchi iraniani su navi nello stretto di Hormuz. LIVEBRIdoso desaparece após caminhada de rotina em bairro de Boituva (SP)EUUS Launches New Strikes Against Iran Amid Ceasefire StrainBRSegundo suspeito de matar motorista de app a tiros em Rio Preto é detidoINCandace Owens-Andrew Kolvet feud escalates over Charlie Kirk's legacyBRHomem que ofereceu 'noite de pizza' para atrair adolescente é preso por estupro no DFRUСпецпосланник Трампа и Кушнер могут посетить МосквуARالاتحاد الأوروبي يسعى لحماية الوصول للذكاء الاصطناعي المتقدم وسط قيود أمريكيةRUГендиректор МАГАТЭ Рафаэль Гросси: в случае избрания генсеком ООН будет вести диалог со всеми
Newsgather
GeriDashlane Security Advisory Raises More Questions Than Answers
Dashlane Security Advisory Raises More Questions Than Answers
Gelişiyor
Ars Technica03.06.2026Teknoloji3 dk okumaUnited States

Dashlane Security Advisory Raises More Questions Than Answers

Hızlı Bakış

Dashlane's security advisory about attackers obtaining encrypted user vaults has raised concerns due to a lack of clarity on the attack's mechanics, particularly how two-factor authentication was bypassed and how initial account access was gained.

Yapay zekâ özeti

Neden Önemli?

Dashlane published a security advisory on Monday warning that attackers obtained 20 encrypted user vaults. The advisory stated that an external party launched a brute force attack on May 31, 2026, aiming to bypass two-factor authentication (2FA) to register new devices on user accounts.

Yazı boyutu

There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults.

“Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”

Hello, Dashlane, anybody home?

A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday.

The UK-based user was concerned and contacted Dashlane through a support bot. Ultimately the user got no information about why the notification was sent.

“Then [I] discovered this news from Mastodon infosec and not Dashlane themselves,” the user told me. “Currently trying to find out what has happened! Because how can you trigger a 2fa request if you haven’t got the password 1st? As a paying customer I think I should have known about this from Dashlane and not Mastodon infosec folks.”

Scores of social media discussions are filled with similar comments from users who also don’t understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. They’re typically six digits long and change every 45 or so seconds, although as the notification above indicates, the code remained valid for three hours.

Brute-forcing is a trial-and-error method that rapidly submits every possible combination until landing on the right one. Under these assumptions, there would be 1 million possible passcodes. A successful breach would require a statistically significant percentage of them to be entered within the three-hour window.

While the resources needed to bombard Dashlane servers with that volume of guesses in such a short period of time are possible, they’re not commonly found in usual brute-force attacks. Dashlane doesn’t explicitly say it placed a rate limit on the number of submissions a user can make, although it appears likely based on language in the advisory saying “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” Even assuming there was no rate limiting, it’s hard to imagine Dashlane servers not at least temporarily choking when receiving 150,000 or more submissions in an hour or so.

It’s possible that Dashlane’s reference to 2FA meant something else. Sometimes, 2FA can come in the form of push notifications. Once someone enters the correct account password, the notification is sent to the registered device. For the login to succeed, the user must press a button on their device that provides the second factor. A tactic known as 2FA fatigue attacking exploits the friction of this process. An attacker who has already broken the first authentication factor attempts to log in repeatedly, resulting in a push notification being sent to the target each time. After dozens or even hundreds of attempts, the target finally gives in and presses the approve button.

And of course, brute-force attacks on 2FA require the first authentication factor to already have been broken. Dashlane makes no mention of what this factor is or how it was broken.

It’s still further plausible that the attack exploited features that allow Dashlane users to enroll new devices in their accounts. Such techniques typically work by tricking the user into approving a request to approve a device owned by the attacker instead.

Dashlane said it has contacted fewer than 20 account holders whose encrypted vaults were obtained. “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account,” the company said. It also notes that without the master decryption password—which Dashlane never sees or stores—vault contents remain safe.

But without more information, we’re left with more questions than we should be. Dashlane has maintained silence for more than 48 hours since publishing the opaque advisory. Company representatives didn’t respond to an email seeking details.

Post updated to add details from a Dashlane user who recived the notifcation.

Açık Sorular

  • How was the initial password factor breached?
  • What specific type of 2FA was targeted and how was it bypassed?
  • Why did the 2FA code remain valid for three hours?
  • What were the exact security controls Dashlane had in place, and why did they fail?

İlgili Konular

Bu haber ilk olarak şurada yayınlandı: Ars Technica.

İlgili Haberler

Bu konuda daha fazlaDashlane