Dashlane comfrim,s brute force attack targeting users
getty
Users of the Dashlane password manager have taken to social media after their accounts were disabled as a security measure following a now-confirmed brute-force hacking campaign targeting an as-yet-unknown number of account holders. Impacted users have been sent emails that read: “Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries.” These users were also advised to contact customer support. The brute-force attacks appear to have started on Sunday, May 31, when Dashlane confirmed that it was investigating “reports from several users having received an email that their account has been suspended.” Dashlane also said that some users were “experiencing difficulties in logging in to Dashlane after resetting their master password.” Later the same day, Dashlane updated that status message to say that the situation had been resolved, saying that “certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security measures.”
While it is important to note that Dashlane has stated that there is no evidence that its systems have been compromised, the incident status has changed once again. As of June 1, it has now reverted from resolved to monitoring. I have reached out to the password manager organization for further clarification.
Dashlane confirms brute-force account attacks.
Dashlane
What Dashlane Users Should Know About Brute Force Attacks
A brute-force attack, also known as credential-stuffing, occurs when a threat actor uses as many username and password combinations as possible in the hope that one will unlock the account in question. Most often, the credentials being used will have come from dark web marketplaces where databases of leaked and compromised passwords are traded.
This is important for Dashlane users to understand, as it suggests that this incident is part of an opportunistic campaign rather than pointing to the discovery of any security vulnerability with Dashlane itself. This has been made clear by Dashlane itself in postings on X, as well as the previously referenced status messages.
As well as not sharing account passwords, users are advised by Dashlane to turn on two-factor authentication “for an extra layer of security.” There is no need to delete your Dashlane account or to consider this a reason to stop using the service, as password managers remain an important piece of the better security model for most consumers.
