DASHLANE issued a security advisory indicating that attackers had accessed 20 encrypted user vaults through a brute force attack aimed at bypassing two-factor authentication (2FA). This attack commenced on May 31, 2026, and involved guessing codes to register new devices on existing accounts. Users expressed confusion over the mechanics of the attack, which typically relies on 2FA methods that can include one-time passwords or push notifications.
While Dashlane suggested it had security measures that locked accounts due to high attack volumes, the absence of specific details regarding how the initial authentication factor was breached raised concerns. The company notified fewer than 20 affected users and stated that vault contents remain safe, as Dashlane never has access to the master decryption password. However, the lack of communication from Dashlane left many questions unanswered.