Dashlane Breach: Attackers Downloaded Encrypted Vaults via 2FA Spraying
Dashlane disclosed a coordinated attack that downloaded encrypted password vaults for fewer than 20 personal plan users. The attackers exploited the device enrollment API, brute-forcing one-time six-digit tokens across many accounts simultaneously.
The Attack Vector: Device Enrollment Abuse
Dashlane's device enrollment flow works like this: when adding a new device, the user receives a one-time six-digit token via email (or authenticator app if 2FA is enabled). That token must be entered into the new device to complete registration and receive an encrypted vault copy.
Attackers targeted the API endpoints for device registration with a brute-force attack. Rather than guessing one account's token (1 in 1,000,000 odds within a 3-hour window), they sprayed attempts across many accounts. For example, targeting 1,000 accounts reduced the odds to 1 in 1,000 per attempt. Rate limiting per account became ineffective because each account received only a few attempts.
Dashlane's automated systems locked accounts after detecting anomalous requests, but the attackers still succeeded on fewer than 20 accounts before mitigation.
What Attackers Got: Encrypted Vaults, Not Plaintext Passwords
The downloaded vaults are encrypted with the user's master password using Argon2. Dashlane uses Argon2 to derive the encryption key, making brute-force cracking computationally expensive. Even with GPUs or specialized hardware, cracking a strong master password (long, random, high entropy) is infeasible.
However, weak master passwords (e.g., common words from cracking dictionaries) are vulnerable. Dashlane stated no vault fields are unencrypted (unlike the 2022 LastPass breach where URLs were plaintext).
Comparison to LastPass Breach
In 2022, LastPass attackers obtained encrypted vaults and later decrypted some due to two factors: unencrypted fields (URLs) and outdated key derivation functions. Dashlane claims all vault fields are encrypted and automatically upgrades its algorithm to stronger versions without user friction.
Mitigation and Recommendations
Dashlane has contacted affected users. Unaffected users need no action. For those affected, Dashlane recommends changing both the master password and all stored passwords as a precaution.
Technical Deep Dive: Why 2FA Spraying Works
The attack is a textbook example of credential spraying adapted to one-time tokens. By spreading attempts across many accounts, attackers defeat per-account rate limiting. The attack required no vulnerability in Dashlane's cryptographic implementation—only the probabilistic nature of guessing tokens across a large user base.
Key technical details:
- Token space: 1,000,000 possibilities (6 digits)
- Validity window: 3 hours
- Attack strategy: parallel brute-force across many accounts
- Success rate: <0.001% of targeted accounts
Actionable Takeaways for Developers
- Implement rate limiting per IP and per account with exponential backoff.
- Use account lockout after N failed attempts but consider spray attacks that spread attempts.
- Monitor for unusual patterns like many failed token validations across different accounts from a single IP.
- Use strong key derivation functions like Argon2 for password hashing.
- Avoid unencrypted fields in vaults—everything should be encrypted.
Dashlane has published a detailed security advisory. The incident underscores that even robust encryption can be undermined by weak authentication flows.
