Physical Address
304 North Cardinal St.
Dorchester Center, MA 02124
There are details that don’t match the privacy manager Dashlane published on Monday, warning that the attackers managed to access 20 encrypted rooms.
“Starting on Sunday, May 31, 2026, an external group launched threats to compromise some Dashlane accounts,” the company said. he said. “The goal of this attack was to brute force two-factor authentication (2FA) to allow an attacker to register new devices on existing accounts.”
Hello, Dashlane, is anyone home?
A Dashlane user who received such a 2FA request shared this screenshot of the notification, which arrived on Sunday.
A UK user was concerned and contacted Dashlane via a support bot. In the end the user did not know why the information was sent.
“Then (I) got this news from Mastodon infosec and not Dashlane alone,” the user told me. “I’m still trying to figure out what happened! Because how can you initiate a 2fa request if you don’t have 1 password? As a paying customer I think I should know about Dashlane and not Mastodon infosec people.”
Many social media forums are filled with similar comments from users who don’t understand the nature of this attack. In most cases, 2FA security is in the form of a one-time password generated by an authentication software or sent by text or email. They usually have six digits and change every 45 seconds, although as the information above shows, the number remained valid for three hours.
Brute-forcing is a trial-and-error method that quickly sends every possible combination until it hits the right one. Under this assumption, there will be 1 million possible passcodes. A successful breach would require a large number of them to be entered within a three-hour window.
Although the requirements to destroy Dashlane’s servers with a large amount of guesswork in such a short period of time are possible, they are rarely found in malicious attacks. Dashlane doesn’t make it clear that it has placed a limit on the amount of activity a user can do, although it appears to be based on the advisory’s language that “Due to the high number of attempts at user accounts, Dashlane’s security controls will lock down accounts targeted by this attack.” Even assuming there were no limits, it’s hard to imagine Dashlane’s servers not being temporarily choked by receiving 150,000 or more in an hour or so.
