Dashlane explains how attackers managed to download encrypted password vaults

Dashlane has revealed that a sophisticated hacking initiative was launched against a significant portion of its user base, aiming to access as many encrypted password vaults as possible. The password management company reported that fewer than 20 individual user vaults were successfully compromised before they intervened to halt the assault. This hacking campaign, which began on Sunday, involved the exploitation of the protocol that permits Dashlane users to add new devices, including computers and smartphones, to their accounts. By manipulating Dashlane’s API for device enrollment, the attackers sent numerous requests targeting the registered email addresses of existing users. In an update released on Thursday, Dashlane detailed how the threat actors focused on the API endpoints designated for device registration. They employed a brute-force attack method to bombard these endpoints with a high volume of automated requests. In response, Dashlane’s security systems functioned effectively, automatically locking the accounts under attack to safeguard users. Despite these protective measures, the attackers managed to generate valid tokens for fewer than 20 personal plan accounts, which enabled them to register new devices and download copies of the users' encrypted vaults. When a user attempts to install the Dashlane app on a new device, the process begins with an identity verification step. Dashlane sends a one-time six-digit token to the user’s registered email address, or, for those utilizing two-factor authentication, a code from their authentication app. For the registration to be successful, users must enter this code into the Dashlane application. If completed correctly, Dashlane approves the new device enrollment and transfers a copy of the encrypted vault to it. The contents of the vault remain secure and unreadable until the user inputs their master password, which serves as the decryption key. As outlined in Dashlane’s security documentation, entering the one-time password on the new device is crucial for successful registration.