Password manager Dashlane confirmed on Tuesday that hackers successfully breached roughly 20 customer accounts, allowing them to download encrypted password vaults. The incident, which occurred over the weekend, involved attackers brute-forcing the company's two-factor authentication (2FA) system.
According to TechCrunch, the breach allowed unauthorized parties to register new devices on existing user accounts. While the company stated that there is no evidence its own internal systems were compromised, it has not yet disclosed the specific technical method used to circumvent the 2FA protections.
Dashlane explained the mechanics of the intrusion in a security advisory, noting that attackers utilized automated software to overwhelm the verification process. By rapidly cycling through numeric combinations, the hackers attempted to guess the correct code before the temporary security token expired.
“The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts,” the company stated on its incident response page.
Impact and Mitigation
The company has confirmed that it notified the approximately 20 affected users whose vaults were accessed. At this time, it remains unclear if these specific accounts were targeted due to their contents or the identities of the users involved.
Dashlane has stated that it has implemented measures to mitigate the risk of similar attacks in the future, though it declined to provide specific details regarding those security upgrades. The company did not respond to requests for further comment regarding the incident.
Two-factor authentication is intended to serve as a secondary layer of security, typically requiring an additional passcode sent to a user's mobile device to prevent unauthorized access. This incident highlights the vulnerability of such systems when subjected to high-speed, automated brute-force attempts.
