Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded
Password manager Dashlane disclosed that fewer than 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack on May 31, 2026. The company stated that an external threat actor launched a brute-force attack against certain Dashlane user accounts, aiming to bypass two-factor authentication (2FA). Dashlane's investigation found that the attacker successfully downloaded encrypted vaults for fewer than 20 accounts, but no master passwords, payment data, or other account information were compromised. The affected users have been notified and advised to rotate their master passwords and review account activity. Dashlane emphasized that the attack did not exploit any vulnerability in its systems but targeted weak or reused passwords. The company has since implemented additional rate-limiting and monitoring measures to prevent similar incidents.
Developers using Dashlane should enforce strong, unique master passwords and enable 2FA to mitigate brute-force risks.