There’s a lot that doesn’t add up to a security advisory about the password manager that Dashlane published on Monday, warning that attackers managed to obtain 20 encrypted user vaults.
“As of Sunday, May 31, 2026, a third party launched a brute force attack against certain Dashlane user accounts,” the company reported. saying. “The goal of the attack was to brute force two-factor authentication (2FA) protections to allow the attacker to register new devices to existing user accounts.”
Hello Dashlane, is anyone home?
A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday.
The UK user was concerned and contacted Dashlane via a support bot. In the end, the user got no information about why the notification was sent.
“So [I] “I discovered this news from Mastodon infosec and not Dashlane,” the user told me. “I’m currently trying to figure out what happened! Because how can you activate a 2fa request if you don’t have the password first? As a paying customer, I think I should have found out about this from Dashlane and not from the information security people at Mastodon.”
Dozens of social media discussions are filled with similar comments from users who also do not understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authenticator app or sent via text message or email. They are typically six digits long and change approximately every 45 seconds, although, as the notification above indicates, the code remained valid for three hours.
Brute force is a trial and error method that quickly presents all possible combinations until the correct one is found. Under these assumptions, there would be 1 million possible access codes. A successful breach would require a statistically significant percentage of them to be entered within the three-hour period.
While the resources required to bombard Dashlane’s servers with that volume of guesses in such a short period of time are possible, they are not commonly found in typical brute force attacks. Dashlane does not explicitly say that it has imposed a rate limit on the number of sends a user can make, although it seems likely based on the language in the notice which says: “Due to the high volume of attempts on user accounts, Dashlane’s security controls automatically blocked accounts that were targeted by the attack.” Even assuming there was no rate throttling, it’s hard to imagine Dashlane’s servers not being at least temporarily choked by receiving 150,000 or more submissions in about an hour.
