Dashlane Attack Exploited Device Enrollment to Steal Encrypted Vaults

A coordinated hacking campaign targeted Dashlane users over the weekend, exploiting the password manager's device enrollment system to download encrypted password vaults. The company confirmed that fewer than 20 personal plan customers had their vaults accessed before security controls locked the attack down.

The unknown threat actor abused the API endpoints that allow users to register new devices on their accounts. By sending a high volume of automated requests to the device registration API, the attackers attempted to brute force the six-digit verification token sent to users' registered email addresses.

Dashlane's automated security systems triggered account lockouts for targeted users as designed. However, before mitigation was complete, the attackers managed to generate valid tokens for a small number of accounts. Once a token was obtained, they could register a new device and download a copy of the encrypted vault.

How the Attack Worked

When a user adds a new device, Dashlane sends a one-time six-digit code to their email or, if enabled, validates a code from an authenticator app. The attackers bombarded the device enrollment API with requests, trying to guess the correct token for large numbers of existing users.

The attack began on Sunday and targeted a broad base of Dashlane users. The company has not disclosed the total number of accounts targeted, but the attackers only succeeded against a small fraction. Dashlane said the attack was a "brute force attack" aimed at recovering as many encrypted vaults as possible.

Encrypted vaults contain users' saved passwords, notes, and other sensitive data. While the vaults are encrypted and require the master password to decrypt, the attack raises concerns about the security of cloud-synced password managers.

Response and Mitigation

Dashlane published a security advisory on Thursday detailing the incident. The company said its automatic lockout feature worked as intended, freezing accounts under attack. The attackers were unable to decrypt the downloaded vaults without the users' master passwords, but the incident exposes a potential weakness in the device enrollment process.

Dashlane has not disclosed whether it has made changes to the API to prevent similar abuse. The company recommends users enable two-factor authentication and use strong, unique master passwords. Affected users have been notified.

Why This Matters

Password managers are trusted to store the keys to users' digital lives. An attack that successfully downloads encrypted vaults, even if they remain encrypted, undermines confidence in the security model. If attackers can brute force enrollment tokens, they could potentially target high-value accounts or use leaked vaults for offline cracking attempts.

This incident affects all Dashlane users, especially those who rely on the cloud sync feature. The breach is limited in scope, but it highlights the ongoing arms race between security teams and attackers who probe APIs and authentication flows. Users should review their account activity and enable all available security features.