Update added on Thursday, June 4, 2026, noting completion of the incident investigation with confirmation of no additional impact to Dashlane customers or systems. Details also added on the attack and protections implemented. Jump to update

Overview

Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts. The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.

Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.

Dashlane’s teams were immediately alerted and began investigating and remediating the incident.

As a result of the attack, numerous users had their accounts temporarily suspended. Access has now been restored for these accounts.

In addition, the attackers were able to download a copy of the encrypted vaults of fewer than 20 personal plan users. We have directly notified each of these users. If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account.

Dashlane vault data cannot be accessed without the Master Password, and our vault encryption ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.

There is no evidence that Dashlane’s internal system has been impacted.

Actions taken to protect customers

Traffic from threat actors has been blocked. User accounts that were suspended or blocked have been reactivated, including some customers being prevented from adding new devices or logging in to their account with 2FA. Our team has taken steps to mitigate the risk of future incidents and continue to harden our resiliency.

Summary

While our investigation continues, our efforts are focused on containing the incident and protecting our customers.

Security and privacy are core to Dashlane. We will update this advisory page as appropriate.

For accuracy, a clarification was made to the attack description after initial publication.

Investigation complete

Dashlane has completed its investigation. No additional impact to Dashlane users has been identified, and there is no evidence that Dashlane’s internal systems have been impacted. With the investigation complete, we want to provide more detail around the incident as well as what we are doing to mitigate future risk.

Understanding device registration

The threat actor targeted a device registration flow in their attack. This flow is used to add a device, like a mobile phone or a computer, to a user’s Dashlane account.

When a user enables an additional device, Dashlane verifies the identity of the account holder. This verification is completed by sending a one-time 6-digit token to the user’s registered email address, or, for users who have enabled 2FA, by validating a 6-digit code generated by their authentication app. The user enters this code into the Dashlane application, at which point Dashlane registers the device and downloads a copy of the encrypted vault to the device. More details about the flows are documented in Dashlane’s Security Documentation.

For the user to access the items in the encrypted vault, they must enter the Master Password to decrypt it. The Master Password serves as the decryption key to the user vault.

Without the Master Password, a user cannot access the items inside the vault. The vault encryption (Argon2 + AES-256-CBC + HMAC-SHA256) used by Dashlane ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time. Dashlane never stores Master Passwords or their derivatives on our servers in line with our zero-knowledge architecture.

Attack summary

The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.

In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.

An encrypted vault must be decrypted before the items inside of it can be accessed. This is done with the Master Password, which only users know. As part of Dashlane’s zero-knowledge architecture, Dashlane does not store Master Passwords or derivatives of Master Passwords on Dashlane’s servers.

Additional protections for users

Dashlane has deployed additional protections at the network level and within the product to further detect and filter out malicious traffic.

Additional layers of verification are also being added to the new device registration flow. This advisory will be updated as these changes are deployed.

Conclusion

Security and privacy are core to Dashlane. It is our responsibility to protect our users from these types of attacks. We will continuously invest in hardening the resiliency of Dashlane.

FAQ