Attackers hit multiple Dashlane accounts using brute force methods, attempting logins from distant locations and unknown devices. Users discovered the problem when suspension emails arrived without warning, and many turned to Reddit to compare notes.
Those emails told affected users that someone had tried to register a new device on their account and failed to enter the correct token after several attempts. Dashlane instructed them to contact customer support to restore access.
The situation created real disruption. Users who rely on a password manager as a daily tool can lose access to dozens of services the moment their vault goes offline. Dashlane’s engineering teams began investigating immediately and treated the incident as high priority.
How the Dashlane Brute Force Attack Worked
This was not a simple password guessing campaign. Attackers targeted two-factor authentication (2FA) codes specifically, with the goal of registering new devices on existing accounts.
A brute force attack works by running automated software that rapidly cycles through every possible numeric combination. The attacker tries to guess the correct one-time code before it expires. These codes are short-lived by design, but automated tools can submit thousands of attempts per second.
Several users received unauthorized login attempt notifications from countries including Korea and Russia. Dashlane did not confirm whether any attempt fully succeeded in gaining account access, though it disclosed a more serious development for a small number of users.
Attackers Copied Encrypted Vaults for Fewer Than 20 Users
The most significant detail from Dashlane’s official advisory involves a small subset of accounts. Attackers managed to download a copy of the encrypted vaults belonging to fewer than 20 personal plan users. Dashlane contacted each of those users directly.
The encryption still holds. Without the Master Password, nobody can open or read a Dashlane vault. Attackers may have the files, but the files are useless without the correct credentials to unlock them. Users whose vaults were not affected do not need to reset anything. If Dashlane did not send you a direct notification about vault risk, the attack did not reach your account in this way.
Dashlane’s Response and the 2FA Disruption
Dashlane opened its investigation at 15:19 UTC on May 31 and marked the incident resolved at 22:30 UTC the same day. All suspended accounts were restored by that point.
The response was not seamless, however. The attack also disrupted Dashlane’s email notification and 2FA systems. Some users tried entering their one-time passcodes and got nothing back but an error message. That left people stuck: accounts suspended, backup codes failing, and little real-time guidance coming from the company.
Dashlane later changed its status page from “resolved” to “monitoring” on June 1. Beyond the status page and individual social media replies, the company made no broader public announcement about the incident.
Criticism Over Communication
Users pushed back hard on Dashlane’s handling of the communication. Many found out about the attack through Reddit rather than any direct company channel, and the silence during the most critical hours frustrated them.
For a product that people trust with every password they own, that gap matters. A clear, timely public statement during the attack would have reduced confusion and helped users understand what steps, if any, they needed to take.
Jordan Fylolenko, Dashlane’s Senior Director of Corporate Communications, confirmed the situation: “We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended. Our team is actively engaged in this issue and taking measures to further protect customers. There is no evidence of compromise of Dashlane’s systems.”
What This Means for Password Manager Users
Dashlane’s internal systems were not breached. The vault encryption held. But the Dashlane brute force attack still exposed a real vulnerability in how 2FA protections handle high-volume automated campaigns, and how companies communicate when those defenses trigger mass lockouts.
Password managers sit at the center of most people’s digital security. An attack that disrupts access, even temporarily, has consequences far beyond the password manager itself. This incident specifically exploited the time-sensitive nature of one-time codes, a weakness that rate limiting and lockout systems exist to address.
Check your email if you use Dashlane. Users whose vaults were unaffected do not need to change credentials. Even so, now is a good time to evaluate your master password. A stolen encrypted vault only becomes dangerous if an attacker can crack the password that locks it.
Final Thoughts
The Dashlane brute force attack was contained, and the automated defenses worked as designed. Fewer than 20 users had encrypted vaults copied, and all suspended accounts are now restored. But the communication during the incident fell short of what users needed. Security products earn long-term trust not just through encryption strength, but through how clearly and quickly they speak when something goes wrong.
