Password manager Dashlane disclosed a security incident where attackers obtained 20 encrypted user vaults through a brute force attack on May 31, 2026. The company's advisory states that external parties attempted to bypass two-factor authentication protections to register new devices on compromised accounts. However, the advisory lacks crucial details about how the attack succeeded or what specific data was accessed.

Affected users received 2FA notifications without understanding why, including a UK customer who contacted Dashlane support but received no explanation. Instead, they learned about the breach through Mastodon infosec discussions rather than direct notification from the company. This communication gap has frustrated paying customers who expect transparent security updates.

The attack mechanics raise technical questions. Two-factor codes are typically six digits with short expiration windows, but the screenshot shows a code valid for three hours. Successful brute forcing would require millions of attempts within that timeframe, demanding substantial computational resources rarely seen in typical attacks.

Dashlane's security controls automatically locked targeted accounts due to high attempt volumes, suggesting some protective measures were in place. Still, the company hasn't clarified whether rate limiting existed or how attackers bypassed authentication. For a password manager handling sensitive credentials, this incident highlights concerning security gaps and communication failures that directly impact user trust.