Dashlane has disclosed that attackers downloaded encrypted password vaults from roughly 20 user accounts after exploiting the company's two-factor authentication system. The password manager provider confirmed that its internal infrastructure was not compromised. Instead, hackers used automated software to bombard the 2FA system with number combinations until they could register new devices on existing accounts.

Because vault data remains encrypted without a user's Master Password, the stolen files are effectively useless to the attackers unless they can crack that single credential separately. Dashlane's automated security controls detected the high volume of login attempts and locked the targeted accounts before the attack could spread further. The company has notified all affected users and blocked traffic from the threat actors.

For Dashlane customers, the incident is a reminder that even zero-knowledge password managers can surface in breach headlines, even when their core encryption holds firm. Dashlane recommends that all users review which devices are registered to their accounts, enable two-factor authentication, and strengthen their Master Password. The company says it has taken steps to reduce the risk of similar incidents going forward, though it has not detailed what specific changes it made to its 2FA system to prevent another automated assault.