Dashlane says hackers brute-forced 2FA, accessed some customer vaults
Encrypted vaults from fewer than 20 Dashlane personal accounts were downloaded, and weak master passwords could still put those users at risk.
The immediate risk for Dashlane customers is narrow but serious: stolen vaults were encrypted, yet attackers who hold a copy can try to crack them offline if a master password is weak or easy to guess. Dashlane said anyone who did not receive a direct message about vault risk was not affected, but users who did get one should treat the contents as exposed until they understand whether their master password could withstand offline guessing.
Dashlane said the attack began on Sunday, May 31, 2026, when an external party tried to brute-force two-factor authentication on selected accounts in an effort to register new devices on existing logins. The company said its automated security controls locked the targeted accounts because of the high volume of attempts, and numerous users were temporarily suspended before access was restored. Dashlane said the attackers downloaded copies of the encrypted vaults of fewer than 20 personal plan users.

The company said there was no evidence its internal systems were compromised. It also said master passwords are never sent to its servers in plaintext, which is why the stolen vaults cannot simply be opened by anyone who copied them. The risk, Dashlane warned, falls hardest on customers who used weak or easily guessed master passwords, because encrypted files can still be attacked later if the password protecting them does not hold up.
Dashlane’s status page showed the incident was first marked investigating at 17:50 UTC on May 31, resolved at 22:30 UTC that same day, and moved to monitoring at 07:32 UTC on June 1. Dashlane said it directly notified each affected user and later updated customers that it had restored access to the affected accounts. The company said it had blocked traffic from the threat actors and taken steps to reduce the chance of a repeat, though it did not spell out those changes publicly.
The episode put fresh pressure on password managers, which market themselves as the safest place to store a user’s most sensitive credentials. Even when the vaults remain encrypted, the breach of account-security systems can create long-term exposure if attackers are able to pair stolen vaults with weak master passwords. The comparison to LastPass’s 2022 breach, where stolen vault backups later helped fuel downstream compromises, hung over the incident and underlined a hard truth for the industry: protecting the vault is not enough if the account gate can be forced open.
This article was produced by Prism’s automated news system from verified source data, official records, and press releases, then run through automated quality and moderation checks before publishing. The system is built and supervised by the people who set the standards it runs under. Read our full AI policy.
Did this article answer your question?


