Dashlane lifts the lid on attack that saw hackers download encrypted user vaults

Password management firm Dashlane said it has completed its investigation into an attack that allowed hackers to steal around 20 encrypted vaults.

The incident kicked off on Sunday, May 31, when a hacker launched an attack against a number of Dashlane user accounts by brute-forcing two-factor authentication (2FA) protections, allowing them to register new devices on existing accounts.

Because of the high volume of attempts on user accounts, Dashlane revealed its security controls automatically locked the accounts that were targeted by the attack.

However, the attackers were able to download a copy of the encrypted vaults of around 20 personal plan users, all of whom have now been notified, with some customers being prevented from adding new devices or logging in to their account with 2FA.

Latest Videos From

Watch full video here:

"Dashlane vault data cannot be accessed without the Master Password, and our vault encryption ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time," said the firm.

"There is no evidence that Dashlane’s internal system has been impacted."

How the Dashlane attack unfolded

When a user enables an additional device, Dashlane verifies the identity of the account holder in a process that ends up sending a one-time six-digit token to the user’s registered email address.

For users who have enabled 2FA, a six-digit code generated by their authentication app is sent.

Once the user enters this code into the Dashlane application, Dashlane registers the device and downloads a copy of the encrypted vault to the device. The user can access this by entering the Master Password, which serves as the decryption key to the user vault.

"Without the Master Password, a user cannot access the items inside the vault. The vault encryption (Argon2 + AES-256-CBC + HMAC-SHA256) used by Dashlane ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time," the company explained.

"Dashlane never stores Master Passwords or their derivatives on our servers in line with our zero-knowledge architecture."

New safeguards introduced

Dashlane said it has now deployed additional protections at the network level and within the product to increase the likelihood of detecting and filtering out malicious traffic.

Similarly, the firm will introduce additional layers of verification to the new device registration flow.

It also advises users to review the devices registered to their account and remove any that they don't recognize, and to enable 2FA on their account if they haven't already.

There's no need to change credentials or update the Master Password, said the firm, unless it's weak or easily guessed.

FOLLOW US ON SOCIAL MEDIA

Follow ITPro on Google News and add us as a preferred source to keep tabs on all our latest news, analysis, views, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.