Development
Can't make sense of Dashlane's vault theft notification? You're not alone.
June 4, 2026 Development Source: Ars Technica
Share this article
There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults.
“Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”
A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday.
It’s possible that Dashlane’s reference to 2FA meant something else. Sometimes, 2FA can come in the form of push notifications. Once someone enters the correct account password, the notification is sent to the registered device. For the login to succeed, the user must press a button on their device that provides the second factor. A tactic known as 2FA fatigue attacking exploits the friction of this process. An attacker who has already broken the first authentication factor attempts to log in repeatedly, resulting in a push notification being sent to the target each time. After dozens or even hundreds of attempts, the target finally gives in and presses the approve button.
And of course, brute-force attacks on 2FA require the first authentication factor to already have been broken. Dashlane makes no mention of what this factor is or how it was broken.
It’s still further plausible that the attack exploited features that allow Dashlane users to enroll new devices in their accounts. Such techniques typically work by tricking the user into approving a request to approve a device owned by the attacker instead.
Dashlane said it has contacted fewer than 20 account holders whose encrypted vaults were obtained. “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account,” the company said. It also notes that without the master decryption password—which Dashlane never sees or stores—vault contents remain safe.
But without more information, we’re left with more questions than we should be. Dashlane has maintained silence for more than 48 hours since publishing the opaque advisory. Company representatives didn’t respond to an email seeking details.
Post updated to add details from a Dashlane user who received the notifcation.