Our Take
Dashlane's advisory raises legitimate questions about attack feasibility that the company refuses to address, leaving paying customers to reverse-engineer a breach from social media.
Why it matters
Password manager transparency directly affects customer trust and threat assessment. When a vendor obscures how an attack succeeded, users cannot evaluate their own exposure or the adequacy of defenses.
Do this week
Security team: audit your password manager's rate-limiting and 2FA timeout policies before the end of this week so you can identify whether your setup mirrors Dashlane's apparent gaps.
Dashlane admits to a brute-force attack, then clams up
On Monday, Dashlane published a security advisory stating that attackers obtained 20 encrypted user vaults after launching a brute-force attack against 2FA protections between May 31 and June 2, 2026. The goal, Dashlane said, was to register new devices on compromised accounts. The company reported that it "automatically locked accounts that were targeted by the attack" but disclosed no details about how many accounts were targeted, how the attack was discovered, or what the attackers accessed beyond the encrypted vaults.
Users who received 2FA notifications during the attack window contacted Dashlane support seeking an explanation. A UK-based paying customer told Ars Technica that the company's support bot offered no information. The customer only learned what had happened by reading infosec discussions on Mastodon, not from Dashlane itself.
The attack math doesn't add up without key details
Standard 2FA codes are six digits, yielding 1 million possible combinations. The Dashlane notification shown to the customer indicated the code remained valid for three hours. Brute-forcing all combinations within that window would require submitting roughly 150,000 guesses per hour, or about 42 per second, assuming even distribution across the three-hour period.
Dashlane does not explicitly state whether it enforced rate limits on authentication attempts. The advisory's language about "high volume of attempts" suggests limits existed, but the company has not clarified the threshold or whether the attack exceeded it. If no rate limits were in place, Dashlane's infrastructure would need to absorb that volume without choking. If limits were enforced, the attack's success becomes harder to explain without additional context the company has not provided.
Scores of social media discussions show users confused about basic facts. If attackers had the password, why would they need to brute-force 2FA? If they didn't have the password, how did they trigger a 2FA request at all? Dashlane's silence leaves customers guessing.
Check your own 2FA configuration
Audit your password manager's rate-limiting policy on authentication attempts. Verify that 2FA code validity windows are measured in minutes, not hours. If your vendor has published no guidance on these settings, request it. Ask specifically whether rate limits are global per account, per IP, or both, and what the submission ceiling is per unit time. Request copies of any internal analysis the vendor conducted after detecting the attack, including the number of accounts targeted and the success rate of the brute-force attempts.
Do not assume encrypted vaults alone provide adequate protection if the account itself can be compromised through weak 2FA controls. Dashlane's reluctance to publish these details is itself a data point: it suggests either the controls were weaker than customers should expect, or the company does not want to disclose them.