Dashlane disclosed a coordinated attack where hackers targeted its device enrollment system to download encrypted password vaults from fewer than 20 user accounts. The threat actor exploited API endpoints for device registration, using brute force methods to guess one-time verification codes sent to users' email addresses. Automated security systems eventually locked out the targeted accounts.

The attackers sent registration requests to numerous accounts simultaneously, then attempted to input one-time codes across all of them. This approach improved odds significantly - instead of 1 in 1 million for a single account, targeting 1,000 accounts raised chances to 1 in 1,000. Rate limiting became less effective since attempts were distributed across many targets rather than concentrated on individual accounts.

Unlike the 2022 LastPass incident, Dashlane's vaults contain no unencrypted fields like website URLs. The company uses Argon2 for master password hashing, making decryption computationally expensive even with specialized hardware. Still, users who chose weak master passwords remain at higher risk if those credentials appeared in password cracking wordlists.

Dashlane contacted all affected users and confirmed unaffected accounts face no immediate action. The company recommends changing master passwords and vault contents as a precaution. This attack highlights ongoing risks in password manager security despite improved cryptographic protections.