There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults.
“Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”
Hello, Dashlane, anybody home?
A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday.
The UK-based user was concerned and contacted Dashlane through a support bot. Ultimately the user got no information about why the notification was sent.
“Then [I] discovered this news from Mastodon infosec and not Dashlane themselves,” the user told me. “Currently trying to find out what has happened! Because how can you trigger a 2fa request if you haven’t got the password 1st? As a paying customer I think I should have known about this from Dashlane and not Mastodon infosec folks.”
Scores of social media discussions are filled with similar comments from users who also don’t understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. They’re typically six digits long and change every 45 or so seconds, although as the notification above indicates, the code remained valid for three hours.
Brute-forcing is a trial-and-error method that rapidly submits every possible combination until landing on the right one. Under these assumptions, there would be 1 million possible passcodes. A successful breach would require a statistically significant percentage of them to be entered within the three-hour window.
While the resources needed to bombard Dashlane servers with that volume of guesses in such a short period of time are possible, they’re not commonly found in usual brute-force attacks. Dashlane doesn’t explicitly say it placed a rate limit on the number of submissions a user can make, although it appears likely based on language in the advisory saying “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” Even assuming there was no rate limiting, it’s hard to imagine Dashlane servers not at least temporarily choking when receiving 150,000 or more submissions in an hour or so.
