There’s loads that doesn’t add up in a safety advisory password supervisor Dashlane printed Monday, warning that attackers managed to acquire 20 encrypted consumer vaults.
“Beginning on Sunday, Could 31, 2026, an exterior get together launched a brute pressure assault in opposition to sure Dashlane consumer accounts,” the corporate stated. “The purpose of the assault was to brute-force two-factor authentication (2FA) protections to permit the attacker to register new gadgets on current consumer accounts.”
Good day, Dashlane, anyone residence?
A Dashlane consumer who acquired such a 2FA request supplied this screenshot of the notification, which arrived on Sunday.
The UK-based consumer was involved and contacted Dashlane by means of a help bot. Finally the consumer acquired no details about why the notification was despatched.
“Then [I] found this information from Mastodon infosec and never Dashlane themselves,” the consumer informed me. “Presently looking for out what has occurred! As a result of how will you set off a 2fa request should you haven’t acquired the password 1st? As a paying buyer I feel I ought to have identified about this from Dashlane and never Mastodon infosec of us.”
Scores of social media discussions are stuffed with related feedback from customers who additionally don’t perceive the essential mechanics of this assault. Sometimes, 2FA protections take the type of a one-time password generated by an authentication app or despatched by textual content or electronic mail. They’re sometimes six digits lengthy and alter each 45 or so seconds, though because the notification above signifies, the code remained legitimate for 3 hours.
Brute-forcing is a trial-and-error methodology that quickly submits each potential mixture till touchdown on the appropriate one. Below these assumptions, there could be 1 million potential passcodes. A profitable breach would require a statistically important proportion of them to be entered throughout the three-hour window.
Whereas the sources wanted to bombard Dashlane servers with that quantity of guesses in such a brief time period are potential, they’re not generally present in standard brute-force assaults. Dashlane doesn’t explicitly say it positioned a price restrict on the variety of submissions a consumer could make, though it seems probably based mostly on language within the advisory saying “Due to the excessive quantity of makes an attempt on consumer accounts, Dashlane’s safety controls robotically locked accounts that had been focused by the assault.” Even assuming there was no price limiting, it’s arduous to think about Dashlane servers not at the very least briefly choking when receiving 150,000 or extra submissions in an hour or so.
![On-page content material codecs reply engines truly favor [new research]](https://blog.aimactgrow.com/wp-content/uploads/2026/06/best-on-page-content-formats-for-ai-1-20260525-6914910.webp-75x75.webp)
![On-page content material codecs reply engines truly favor [new research]](https://blog.aimactgrow.com/wp-content/uploads/2026/06/best-on-page-content-formats-for-ai-1-20260525-6914910.webp-120x86.webp)
