Dashlane disclosed a security incident in which threat actors successfully retrieved encrypted password vaults for approximately 20 users by leveraging a brute-force attack that circumvented 2FA safeguards.
Based on information posted on Dashlane’s status page, the attackers did not breach the company’s internal systems. Their efforts were directed at the additional authentication layer, where they repeatedly attempted to overcome one-time passcodes sent via SMS or email.
Dashlane explained that the attack was designed to bypass two-factor authentication and allow unauthorized devices to be linked to existing accounts. The company said the attackers likely used automated tools to repeatedly enter possible code combinations until they successfully guessed a valid one. That gave them the ability to register new devices and obtain copies of the affected users’ password vaults.
According to Dashlane, the password vaults remain encrypted and require the user’s Master Password for access. The company doesn’t store Master Passwords and has not suggested that any were exposed in the attack.
Dashlane said the targeted accounts were automatically locked after its systems detected an abnormally large number of login attempts. The company has informed affected users and blocked traffic associated with the attackers. It also noted that further safeguards have been put in place, but did not disclose what those changes involve.
Dashlane advises users to review the devices associated with their accounts, make sure two-factor authentication is active, and update their Master Password to a stronger one if necessary.
Maybe you would like other interesting articles?