Password manager Dashlane says hackers have stolen some customers’ passwords

Password maker Dashlane says hackers found at least a dozen encrypted vaults used to store customer passwords during a weekend cyber attack.

The company said on its website that the hackers brute-forced the two-factor authentication system, which gave the hackers access to the accounts of up to 20 customers. By defeating its two-factor mechanism, the hackers were able to download a copy of the hidden stores of certain customers, which store their passwords and other sensitive credentials.

Dashlane said on his incident page that there is no evidence of compromising his systems, but he has not yet said how the hackers were able to overcome its two protections to gain access to customer accounts. A dual security feature protects accounts from being accessed with a stolen username and password, usually by requiring an additional passcode to be sent to the account manager’s phone.

“The purpose of this attack was to force two-factor authentication (2FA) so that the attacker could register new devices to existing user accounts,” Dashlane said. The company said attackers could use automated software to “quickly run every possible combination of numbers through the system, hoping to guess the exact sequence before a short time.” [two-factor] the security code is expiring.”

The company said it had “taken steps to reduce the risk of future incidents,” without specifying what those were.

Dashlane said he has notified about 20 customers whose encrypted vaults have been stolen. It is not yet clear whether certain customers were targeted for a specific reason, such as who they are or what they do for a living.

A spokesperson for Dashlane did not respond to a request for comment. The company has yet to say whether it knows who targeted its customers, or if the hackers contacted Dashlane with demands, such as a ransom.

Hacked vaults are encrypted and unreadable without the customer’s master password, known only to the customer and uploaded to Dashlane in plaintext, the company’s website said. But Dashlane said customers with easy-to-guess passwords may be at greater risk of having their passwords guessed and decrypted.

Data breaches affecting password manager companies are rare, but they can have lasting consequences.

In 2022, LastPass confirmed that customer password backups were stolen during a cyberattack. Although the vaults were protected with passwords known only to the customer, the password requirements for early customers were much weaker than the latest standard, allowing hackers to brute force and easily guess the passwords of certain customer vaults. There have been several reports of hackers stealing large sums of customers’ crypto, most likely by using private keys stored in LastPass vaults that have had their master passwords compromised following a breach.

Last year, Australian software house Click Studios warned all customers using its flagship password manager, Passwordstate, to “reset all credentials” after hackers breached its software update system to plant malware on customers’ systems.