Dashlane Password Manager suffers security breach, encrypted customer vaults stolen

Password management service Dashlane has confirmed that an external threat actor targeted its platform, bypassed authentication checks, and successfully stole the encrypted vault files of a small number of customers. According to a series of security advisories released by the company, the attack began on Sunday, May 31, 2026. Malicious actors focused heavily on Dashlane’s API endpoints for its "device registration flow" - the automated process that kicks in when a user attempts to pair a new phone or computer to an existing account.

Bypassing two-factor authentication

The attackers launched a highly automated, high-volume brute-force attack to rapidly guess the six-digit one-time tokens used for identity verification. When adding a new device, Dashlane sends this six-digit code via email or generates it through an authentication app. By bombarding the system with rapid sequential guesses, the automated script managed to generate valid matching tokens for a handful of targets.

Once the fake device was authorized, the Dashlane system automatically synchronized and downloaded a copy of the user's heavily encrypted password vault directly to the attacker’s machine. Dashlane confirmed that the threat actor successfully registered unauthorized devices and exfiltrated vaults for fewer than 20 customers on its personal subscription plan.

System safeguards and the risk of offline cracking

Dashlane was quick to emphasize that its core infrastructure, databases, and internal servers were not breached or compromised during the incident. The company’s automated security controls detected the surge in malicious traffic, triggering automatic suspensions and lockouts on targeted accounts to prevent wider exploitation.

The password manager further assured customers that the stolen vault files remain heavily encrypted using robust protocols, including Argon2 and AES-256-CBC.

Because Dashlane operates on a zero-knowledge architecture, master passwords are never stored on corporate servers and were not exposed in the breach. Without the master password, the data inside the stolen vaults is statistically unreadable.

However, cybersecurity experts warn that the situation carries echoes of the infamous 2022 LastPass breach. Because the encrypted files now reside locally on attacker-controlled hardware, the threat actors face no server-side rate limits or lockouts. They can utilize unlimited cloud computing power and specialized graphics cards to launch relentless offline brute-force attacks against the vaults.

Next steps for users

For users with weak, simple, or reused master passwords, the risk of offline decryption is significantly elevated. Once cracked, an encrypted vault exposes every single credential stored inside, including the primary email accounts used for password resets across the rest of the web.

Dashlane has directly notified all affected users whose vaults were taken. The company stated that if a user has not received a specific security alert regarding vault exfiltration, their account was unaffected by the incident.

Following the mitigation of the attack, Dashlane deployed network-level filters to block malicious traffic and confirmed that it is implementing additional verification layers to the device registration pipeline to prevent similar automated grinding attacks in the future.