That means the chances of the attackers decrypting one of the encrypted vaults they obtained is very small in the event the master password was strong, meaning long, randomly generated, and has high entropy. However, not everyone uses such master passwords. In the event the master password was included in word lists exchanged by password crackers, the chances of success would be higher, although still unlikely.
Broadly speaking, the incident has similarities to the 2022 LastPass breach, which also allowed attackers to obtain encrypted user vaults. Eventually, the attackers managed to obtain decrypted information from some of them. The success was the result of two things.
First, certain fields, such as website URLs, remained unencrypted in vaults. That meant attackers could read them even without the master password. Second, some of the stolen vaults used outdated algorithms that didn’t adequately intensify the process for converting the plain-text password into a hash. Dashlane has said that no user fields in vaults are unencrypted. Further, when algorithms are periodically strengthened to account for advances in cracking abilities, the process occurs automatically, with no interaction required. The algorithm update process for LastPass vaults at the time came with more user friction.
Dashlane’s initial notification left out key details of the attack and led to considerable confusion about the ongoing risk users faced.
Out of an abundance of caution, both master passwords and the contents of any of the recovered Dashlane vaults should be changed immediately to reduce the chance, however unlikely, that the attackers succeed in breaking the master password. Unaffected Dashlane users don’t need to take any such action.
