Password manager Dashlane disclosed Monday that attackers successfully obtained 20 encrypted user vaults after a brute-force attack targeting two-factor authentication protections.
According to the company, the attack began on Sunday, May 31, 2026. The goal was to brute-force 2FA protections to register new devices on existing user accounts.
A UK-based Dashlane user who received a 2FA request said they learned about the incident from Mastodon infosec contacts, not from Dashlane directly. The user expressed frustration, noting that as a paying customer, they expected direct notification.
The attack raises technical questions. Typically, 2FA codes are six-digit one-time passwords valid for about 45 seconds. In this case, the code remained valid for three hours, significantly widening the window for brute-force attempts.
Brute-forcing one million possible passcodes within three hours is technically possible but resource-intensive. Dashlane did not specify whether rate limiting was in place, though the advisory notes that "security controls automatically locked accounts that were targeted."