Password manager provider Dashlane disclosed that hackers gained access to some users' encrypted password libraries during a weekend cyberattack. The company stated that attackers brute-forced two-factor authentication mechanisms to gain access to approximately 20 customer accounts and downloaded at least a dozen encrypted files used to store passwords and other sensitive credentials.
Approximately 20 accounts were affected.
The announcement indicates that the attack aimed to bypass 2FA protection on accounts, allowing attackers to register new devices into existing accounts. Dashlane stated that attackers may have used automated tools to quickly try various combinations of numbers, guessing the correct sequence before the one-time CAPTCHA expired.
The company stated that there is currently no evidence that Dashlane's own system was compromised, but it has not yet explained how the attackers breached its two-factor authentication defenses. Dashlane has notified affected users, but did not specify whether these accounts were targeted or disclose the attackers' identities.
The stolen files are still encrypted.
Dashlane states that the downloaded password database is encrypted and cannot be read directly. Decrypting these files requires a master password set by the user. This master password is not uploaded to Dashlane in plaintext, therefore the company itself cannot provide this information directly.
However, the company also cautioned that if users use easily guessed master passwords, the risk of the related password database being cracked offline is higher. This means that even if an attacker obtains encrypted files, users with weak passwords may still face subsequent risks.
Historical cases have impacted crypto assets
Large-scale data breaches are uncommon for password manager companies, but when they involve password vault backups, the impact often lasts a long time. In 2022, LastPass confirmed that customer password vault backups were stolen in an attack. Due to weak master passwords for some early users, some password vaults were subsequently brute-forced.
Subsequently, multiple reports mentioned that hackers may have used the compromised LastPass password database to obtain users' private keys to encrypted assets and commit theft. Earlier, Australian software company Click Studios also experienced a malicious program being implanted in its update mechanism, requiring Passwordstate users to reset all credentials.
Additional information:Dashlane stated that it has taken measures to reduce the risk of similar incidents happening again, but has not yet disclosed the specific measures taken, nor has it stated whether it has received any extortion requests.
