Dashlane Hack: Fewer Than 20 Encrypted Vaults Stolen in 2FA Attack
Abhishek Gautam9 min readQuick summary
Dashlane disclosed May 31-June 2, 2026: brute-force 2FA campaign let attackers download encrypted vaults for under 20 personal users. Zero-knowledge; weak master passwords at risk.
Read next
- CrowdStrike 2026: AI Cuts Cyberattack Breakout Time to 29 Minutes
- FBI: Americans Lost $21 Billion to Cybercrime in 2025, 1M+ Complaints
Dashlane said attackers downloaded encrypted password vaults for fewer than 20 personal-plan users after a brute-force campaign that targeted two-factor authentication starting May 31, 2026 — disclosed publicly June 2, 2026.
Dashlane stressed no breach of its internal systems and that vaults remain unreadable without each user's master password under its zero-knowledge design.
What Happened?
An external threat actor hammered 2FA codes to register unauthorized devices on targeted accounts. A registered device can sync/download the user's encrypted vault from Dashlane servers.
| Fact | Detail |
|---|---|
| Start date | May 31, 2026 |
| Vaults exfiltrated | < 20 personal subscribers |
| Dashlane infra | Not compromised (per company) |
| User notification | Direct outreach to affected accounts only |
| Wider impact | Temporary account lockouts from high-volume attempts |
If you did not receive a Dashlane-specific vault-risk email, the company says your vault was not downloaded.
Why Developers Should Care Anyway
Scale is small; architecture lessons are not.
Offline attacks now have time: Once ciphertext is exfiltrated, attackers can guess master passwords offline forever. Weak or reused master passwords defeat zero-knowledge marketing.
2FA is not magic: SMS/app 2FA stops casual abuse but brute-forceable channels remain a weak point when attackers can attempt millions of codes against device registration flows.
Agent era credential storage: Teams wiring Codex, Claude Code, and OpenClaw to dozens of SaaS tools should assume password managers are high-value targets — see OpenAI Codex 5M Users for how many new OAuth surfaces enterprise agents touch.
Better patterns:
- Hardware security keys (FIDO2) where supported — not brute-forceable OTP loops
- Long unique master passwords — treat as root CA for your identity
- Separate vaults for work vs personal; no shared master
- For CI/CD and agents: short-lived tokens in secret managers, not exported vault CSVs
Pair with CrowdStrike 29-Minute AI Attack Breakout.
Key Takeaways
- May 31–June 2, 2026: Dashlane brute-force 2FA campaign; < 20 encrypted vaults downloaded
- Zero-knowledge still holds if master passwords are strong
- No internal Dashlane breach reported; issue is account-level device registration
- Affected users notified individually
- For developers: audit registered devices, upgrade 2FA to phishing-resistant keys, never reuse master passwords
Sources
FAQ
Frequently Asked Questions
How many Dashlane users were affected by the June 2026 hack?
Dashlane said fewer than 20 users on personal subscription plans had encrypted vaults downloaded by attackers. The company notified those users directly and stated users who did not receive that notice were not impacted by vault download.
Can hackers read stolen Dashlane vaults?
Dashlane uses zero-knowledge encryption. Stolen vault files remain encrypted without the user master password. Users with weak or easily guessed master passwords face higher risk of offline cracking attempts.
How did attackers access Dashlane vaults?
Attackers launched a brute-force campaign against two-factor authentication starting May 31, 2026, attempting to register unauthorized devices on user accounts. Successful device registration allowed download of encrypted vault copies from Dashlane servers.
Was Dashlane's internal infrastructure breached?
Dashlane stated there is no evidence its internal systems were impacted. The incident involved targeted account-level authentication attacks rather than a server-side database breach.
Free Weekly Briefing
The AI & Dev Briefing
One honest email a week — what actually matters in AI and software engineering. No noise, no sponsored content. Read by developers across 30+ countries.
No spam. Unsubscribe anytime.
More on Cybersecurity
All posts →CrowdStrike 2026: AI Cuts Cyberattack Breakout Time to 29 Minutes
CrowdStrike's 2026 Global Threat Report puts a number on AI-powered attacks: 29-minute average breakout, 27-second record. What this means for developers running production infrastructure.
FBI: Americans Lost $21 Billion to Cybercrime in 2025, 1M+ Complaints
The FBI's 2025 IC3 report records $20.877 billion in cybercrime losses — up 26% from 2024. First year with over 1 million complaints. Investment scams: $8.6B. AI cybercrime tracked for the first time.
Stanford: AI Hiring Tools Flag 26% of Black Applicants for Bias
A Stanford-led study of 4M+ applications found 25.87% of Black applicants hit AI hiring screens with adverse racial impact. Same vendor across 156 employers creates algorithmic monoculture.
1,100 Ships GPS-Spoofed: Iran Switches to BeiDou, Apps Break
GPS spoofing put 1,100 ships at airports and nuclear plants in 2026. Iran switched to China's BeiDou, abandoning US GPS. What breaks and how developers build resilient location services.
Written by
Software Engineer based in Delhi, India. Writes about AI models, semiconductor supply chains, and tech geopolitics — covering the intersection of infrastructure and global events. 795+ posts cited by ChatGPT, Perplexity, and Gemini. Read in 164 countries.