Password manager maker Dashlane announced that hackers have obtained at least 12 encrypted vaults used to store customer passwords during a weekend cyberattack.
The company announced on its website that hackers brute-forced its two-factor authentication system and granted access to approximately 20 customer accounts. By breaking that two-factor mechanism, hackers were able to download a copy of the encrypted vault containing passwords and other sensitive credentials for specific customers.
Dashlane said on its incident page that there is no evidence its systems were compromised, but it has not yet disclosed how the hackers were able to overcome the company's two-factor protection and gain access to customer accounts. Two-factor is a security feature that prevents accounts from being accessed with just a stolen username and password, typically requiring an additional passcode to be sent to the account holder's phone.
“The goal of the attack was to leverage brute force two-factor authentication (2FA) protection to allow the attacker to register new devices to existing user accounts,” Dashlane said. The company said the attackers used automated software to “quickly send all possible numerical combinations to the system, hoping to deduce the exact sequence before information is lost in the short term.” [two-factor] The security code has expired. ”
The company said it had “taken steps to reduce the risk of future accidents,” but did not elaborate.
Dashlane said it has notified about 20 customers whose encrypted safes were stolen. It is not yet clear whether specific customers were targeted because of their personality, occupation, or other reasons.
A Dashlane spokesperson did not respond to a request for comment. The company did not say whether it knows who targeted its customers or whether the hackers contacted Dashlane with a ransom or other demand.
According to the company's website, stolen vaults are scrambled and cannot be read without the customer's master password. The master password is known only to the customer and is never uploaded to Dashlane in clear text. But Dashlane said customers with easy-to-guess master passwords may be at greater risk of being guessed and having their password vaults cracked.
Data breaches affecting password management companies are rare, but can have a lasting impact.
In 2022, LastPass confirmed that its customers' password vault backups were stolen in a cyberattack. Vaults were protected by passwords known only to customers, but early customer password requirements were much weaker than later standards, making it easy for hackers to brute force and guess some customers' vault passwords. There have been several reports that hackers have stolen huge amounts of customers' cryptocurrencies. This was likely done using a private key stored in a stolen LastPass vault whose master password was decrypted after the breach.
A year ago, Australian software company Click Studios warned all customers using its flagship password manager, Passwordstate, to “reset all credentials” after hackers compromised the company's software update mechanism and planted malware on customer systems.
If you buy through links in our articles, we may earn a small commission. This does not affect editorial independence.