Brute-Force Attack Breaches Dashlane Accounts

Dashlane reports a brute-force attack bypassed 2FA, leading to the download of encrypted vaults for a small number of users.

Password manager Dashlane has announced a security breach resulting from a targeted brute-force attack. According to the company's disclosure on May 31, 2026, an external threat actor launched an attack against the two-factor authentication (2FA) systems protecting certain user accounts. This effort was successful against a very small group, allowing the attacker to download the encrypted password vaults of fewer than 20 customers who were on personal subscription plans. The incident was not a systemic compromise of Dashlane's infrastructure but rather a focused attack on individual account authentication.

While the number of directly affected users is minimal, the event is significant for security professionals and technical leaders. It highlights that 2FA is not an infallible defense and can be vulnerable to persistent, automated attacks. The incident serves as a critical reminder for organizations to review and harden their own authentication mechanisms, particularly against brute-force attempts. Although the downloaded vaults remain encrypted and require the user's master password to be unlocked, the successful breach of the 2FA layer and the exfiltration of the vault file itself represent a serious security event.

The breach at a major password manager, though small, highlights the vulnerability of 2FA systems to brute-force attacks and underscores the importance of robust security layers, even for encrypted data.

This incident may cause businesses using or considering Dashlane to re-evaluate its security posture. It serves as a case study for all companies on the importance of implementing strong rate-limiting and anti-brute-force measures for authentication systems, especially those protecting sensitive customer data.