DASHLANE said attackers gained access to fewer than 20 encrypted user vaults after a brute force attempt that tried to guess two‑factor authentication codes to register new devices. The company issued a security advisory on 2 June 2026, noting the activity began on 31 May and was detected after repeated failed login attempts. Only users on the personal plan were affected and the stolen data remains encrypted. Dashlane’s security advisory details the incident.
The assault used automated scripts to submit one‑time passcodes or push‑notification responses in order to trick the system into trusting a new device. No CVE identifier has been assigned because the flaw resides in the authentication flow rather than a software vulnerability. Dashlane’s internal logs showed a spike in failed 2FA challenges before the accounts were locked.
Because Dashlane encrypts vaults locally with a key derived from the master password, the attackers could not decrypt the stolen blobs without that secret. The company stressed that its servers never store the master password, so the vault contents remain unintelligible to anyone lacking it. Nevertheless, possession of the encrypted files allows offline guessing attacks if the master password is weak.
Security researchers who examined the advisory said the breach was limited in scope and appeared opportunistic rather than part of a targeted campaign. No threat actor has been claimed, and Dashlane reported that the abnormal traffic triggered its rate‑limiting protections, which halted further progress. The incident coincides with a rise in credential‑stuffing attempts against password‑manager services observed in the first half of 2026.
The event highlights the reliance on time‑based one‑time passwords and push notifications as a single point of failure when attackers can automate guessing. Experts warn that unless platforms enforce stricter device‑registration checks, similar brute force tactics could succeed elsewhere. It also reminds users that the strength of the master password remains the ultimate safeguard for stored secrets.
Dashlane advises affected users to review the list of authorised devices in their account settings and remove any unfamiliar entries. Enabling login alerts for new devices or locations can provide early warning of suspicious activity. Users should also consider migrating to a hardware‑based second factor, such as a FIDO2 security key, which resists automated code guessing.
For those who suspect their master password may have been exposed, changing it immediately and re‑encrypting the vault is recommended, although this requires decrypting and re‑encrypting locally. Keeping the Dashlane client up to date ensures any future server‑side mitigations are applied promptly. Users with concerns can contact support through the advisory page for further assistance.