Dashlane Reports Cyberattack Hackers Steal Customer Password Vaults
Dashlane Reports Cyberattack 🚨
Password manager maker Dashlane has reported that hackers have obtained at least a dozen encrypted vaults used for storing customer passwords during a weekend cyberattack. The company stated on its website that hackers brute-forced the company’s two-factor authentication system, granting them access to about 20 customer accounts. By defeating its two-factor mechanism, the hackers were able to download a copy of certain customers’ encrypted vaults, which store their passwords and other sensitive credentials.
Dashlane mentioned on its incident page that there was no evidence of compromise of its own systems. The company explained, “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.” They further elaborated that attackers can use automated software to “rapidly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived [two-factor] security code expires.” Dashlane has notified the 20 customers whose encrypted vaults were stolen.
The stolen vaults are scrambled and cannot be read without the customer’s master password, which is only known by the customer and is not uploaded to Dashlane in plaintext. However, Dashlane noted that customers with an easily guessed master password may be at greater risk of having it guessed and their password vaults decrypted. Data breaches affecting password manager companies are rare but can have lasting consequences.
In 2022, LastPass confirmed that customer password vault backups were stolen during a cyberattack. While those vaults were protected with passwords only known to the customer, the password requirements for early customers were far weaker than the later standard, allowing hackers to brute-force and easily guess the passwords of some customers’ vaults. There have been several reports of hackers stealing vast amounts of customers’ crypto, likely by using private keys stored in stolen LastPass vaults that had their master passwords cracked following the breach.