Hackers Breached Dashlane to Download Encrypted Vaults

Attackers successfully downloaded fewer than 20 encrypted password vaults from Dashlane's systems after abusing a vulnerability in one of its APIs.

Dashlane has disclosed a security incident where attackers successfully downloaded a small number of encrypted user password vaults. The company reported that a coordinated hacking campaign targeted a large base of its users. The threat actors abused a specific API mechanism to carry out their attack. Before Dashlane's security team could detect and shut down the operation, the attackers managed to exfiltrate fewer than 20 personal user vaults. Dashlane emphasized that the downloaded vaults remain protected by strong encryption, which is tied to each user's master password. The company stated it has since secured the vulnerable API and is continuing its investigation into the full scope of the campaign.

This breach is significant because it involves a password manager, a service fundamentally built on user trust and robust security. While the exfiltrated data is encrypted, the incident itself is a serious concern. With the encrypted vaults in their possession, attackers can now attempt to crack the master passwords offline using brute-force techniques, free from any rate limiting or account lockouts. For the affected users, the strength of their master password is now the final line of defense. The attack highlights a critical lesson for developers and security teams: even when core data is encrypted, the surrounding infrastructure, particularly APIs, can present a viable attack vector.

The incident serves as a crucial reminder for organizations about the importance of API security and continuous monitoring. Threat actors are increasingly targeting APIs as a primary method to bypass traditional security controls and access sensitive data. For companies, this means regularly auditing API endpoints for potential abuse, implementing strong rate limiting, and deploying anomaly detection systems to spot unusual patterns of activity. For users of any password manager, it reinforces the need for a long, complex, and unique master password. This ensures that even if the encrypted vault is compromised, the data within remains computationally infeasible for an attacker to access.

This incident is a critical reminder that even with strong data encryption, vulnerabilities in surrounding infrastructure like APIs can expose sensitive user data. For password managers, where trust is paramount, any breach is significant.

The breach, though small in scale, could damage user trust in Dashlane and password managers generally. It forces a review of API security protocols and incident response, potentially leading to increased investment in security audits and monitoring tools for similar service providers.