Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

Jun 04, 2026 · 5 min read

Dashlane: Hackers Brute Forced 2FA, Stole 12 Vaults

Dashlane disclosed on June 2, 2026 that attackers spent a weekend rapidly guessing two factor codes, breached roughly 20 customer accounts, and exfiltrated at least a dozen encrypted password vaults. The only thing standing between those vaults and plaintext credentials is each user's master password.

If your password manager works correctly, brute force is supposed to be impossible. You have a master password that is not stored on the server, an authenticator code that rotates every 30 seconds, and rate limits that lock the door after a handful of bad attempts. Last weekend, attackers walked past all three at Dashlane.

Broken brass padlock with scattered keys on a dark wooden desk, representing a password manager breach

Key Takeaways

  • Dashlane confirmed on June 2, 2026 that around 20 customer accounts were breached over a single weekend by attackers brute forcing two factor authentication codes.
  • At least 12 encrypted password vaults were exfiltrated, including the stored passwords for those customers' other services.
  • Dashlane says its own infrastructure was not compromised and that vaults remain encrypted with each user's master password.
  • The pattern mirrors the 2022 LastPass breach, where stolen encrypted vaults were later cracked offline and used to drain cryptocurrency wallets.
  • Customers with weak or reused master passwords face the highest risk because attackers can now attempt offline decryption with unlimited speed.

What Happened Inside Dashlane Over the Weekend?

Dashlane says attackers used what amounts to a numeric grinder. "Rapidly submit every possible numeric combination to the system, hoping to guess" the second factor, the company wrote in its disclosure. A standard time based one time password is six digits, which means one million possible codes per 30 second window. With no rate limit, that is brute forceable in seconds.

Roughly 20 customer accounts gave up to the attack. From inside those accounts, the attackers pulled at least 12 encrypted vault files. Dashlane was explicit that its core systems were not breached. "No evidence of compromise of its own systems," the company said. That is the right thing to say if you are Dashlane, and the wrong thing to hear if you are a customer whose vault is now on someone else's hard drive.

Why Brute Forcing 2FA Is Not Supposed to Work

Every authentication system that accepts a short numeric code is supposed to count failed attempts. Submit the wrong code three or five times and the door should close for that account, that IP, that session, or all three. NIST's SP 800 63B guidance is unambiguous: rate limit or lock the account before the keyspace becomes searchable.

A six digit code without throttling is not really six digits of entropy. It is a brief speed bump. The Dashlane disclosure did not explain which throttling control failed or whether the attack came from a single IP, a distributed set of IPs, or session reuse. Until those details land, every security team running a password manager should treat their own 2FA endpoints as suspect.

How Bad Is an Encrypted Vault on Someone Else's Server?

An encrypted vault is only as strong as the master password protecting it. Dashlane derives a key from that master password using a hashing function with deliberate slowdowns. In theory, a strong unique master password takes centuries to crack offline. In practice, three things go wrong.

  • Most users do not pick a strong unique master password. They pick something they can remember.
  • Once a vault is in attacker hands, there is no rate limit. They can throw a cloud full of GPUs at it indefinitely.
  • Cracked vaults reveal every credential inside — including the email account every password reset eventually goes back to.

That third point is the one nobody talks about until it is too late. The 2022 LastPass incident proved it. Researchers at TRM Labs traced more than $150 million in stolen cryptocurrency to vaults exfiltrated in that breach. The vaults were encrypted. The master passwords were weak. The result was the same.

What Dashlane Customers Should Do Today

If you are a Dashlane customer, treat the next 72 hours as if your vault is being decrypted in parallel by someone else.

  1. Change your Dashlane master password to a long random passphrase you have never used anywhere else.
  2. Rotate the passwords for every account stored in the vault — start with email, banking, and identity providers, in that order.
  3. Replace any TOTP based 2FA with a hardware security key (FIDO2 or WebAuthn) where the service supports it.
  4. Revoke active sessions for your Google, Microsoft, and Apple accounts so any tokens lifted from the vault stop working.
  5. Watch your primary email closely for password reset emails you did not initiate over the next 30 days.

Why Email Comes First

Almost every password reset on the internet flows back to your email inbox. If an attacker decrypts your vault and pulls out the Gmail or Outlook password, they own your identity provider — and from there, every other account that trusts a "Forgot password?" email. That is why this is not just a Dashlane story. It is an email security story dressed up as a password manager story.

The Dashlane disclosure is short on detail and long on reassurance. The reassurance does not change the math: 12 encrypted vaults are out, and the only timer running is how long it takes to crack the weakest master password among them. For more on how attackers chain stolen credentials back to inboxes, see our coverage of ShinyHunters' vishing breach at Charter Communications and the recent Pitney Bowes Salesforce phishing breach.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.