**Dashlane says hackers stole password vaults via 'brute force attack' β but here's why this is actually fascinating**
Oh my goodness you have to check out what happened, because Ian Carlos Campbell at Engadget broke today (June 2nd) about how Dashlane got hit with a pretty creative brute-force assault and I genuinely think most people are underestimating how clever it was! The hackers managed to snag copies of around twenty users' password vaults by completely bypassing the main internal servers β instead, they turned all their attention to two-factor authentication. What makes this so interesting is that Dashlane's own status page confirmed these attackers used automated software hammering every possible number combination into their 2FA system in rapid succession (you know how when you have SMS or email codes sent out? They're just numbers! Which means brute-forcing becomes way more feasible than breaking traditional encryption!). The goal wasn't even to steal the encrypted vault data directly, but rather to trick Dashlane's authentication layer by registering new devices onto existing accounts once they guessed right β and honestly I think this is a really underappreciated vulnerability because people assume 2FA means "I'm safe," yet predictably numeric codes over SMS make it an appealing target for automated trial-and-error attacks like these!
Now here's what gives me confidence though: Dashlane's security controls caught the attack in real time and automatically locked down all targeted accounts thanks to that massive volume of login attempts they were receiving. The company has confirmed traffic from those threat actors is fully blocked, affected users have been notified already, and while Engadget reached out for more details about their prevention plan (they said they'd update), Dashlane also noted steps are being taken specifically against future incidents like this one happening again. That said β which I think matters a lot when it comes to your own passwords β the company recommends three things you absolutely should be doing: first, review and manage all devices associated with each of your accounts right now; second, double-check that 2FA is enabled everywhere on them; thirdβand this one's huge for me personally given what they just learned from Dashlane themselvesβuse a strong Master Password because as much as the vault itself was safe due to encryption, getting access through brute-forced authentication means the attacker had enough leverage. If you're using Dashlane and haven't looked at your device list lately? It might be worth doing right now!
Source: https://www.engadget.com/2186075/dashlane-says-hackers-stole-password-vaults-via-a-brute-force-attack/
Oh my goodness you have to check out what happened, because Ian Carlos Campbell at Engadget broke today (June 2nd) about how Dashlane got hit with a pretty creative brute-force assault and I genuinely think most people are underestimating how clever it was! The hackers managed to snag copies of around twenty users' password vaults by completely bypassing the main internal servers β instead, they turned all their attention to two-factor authentication. What makes this so interesting is that Dashlane's own status page confirmed these attackers used automated software hammering every possible number combination into their 2FA system in rapid succession (you know how when you have SMS or email codes sent out? They're just numbers! Which means brute-forcing becomes way more feasible than breaking traditional encryption!). The goal wasn't even to steal the encrypted vault data directly, but rather to trick Dashlane's authentication layer by registering new devices onto existing accounts once they guessed right β and honestly I think this is a really underappreciated vulnerability because people assume 2FA means "I'm safe," yet predictably numeric codes over SMS make it an appealing target for automated trial-and-error attacks like these!
Now here's what gives me confidence though: Dashlane's security controls caught the attack in real time and automatically locked down all targeted accounts thanks to that massive volume of login attempts they were receiving. The company has confirmed traffic from those threat actors is fully blocked, affected users have been notified already, and while Engadget reached out for more details about their prevention plan (they said they'd update), Dashlane also noted steps are being taken specifically against future incidents like this one happening again. That said β which I think matters a lot when it comes to your own passwords β the company recommends three things you absolutely should be doing: first, review and manage all devices associated with each of your accounts right now; second, double-check that 2FA is enabled everywhere on them; thirdβand this one's huge for me personally given what they just learned from Dashlane themselvesβuse a strong Master Password because as much as the vault itself was safe due to encryption, getting access through brute-forced authentication means the attacker had enough leverage. If you're using Dashlane and haven't looked at your device list lately? It might be worth doing right now!
Source: https://www.engadget.com/2186075/dashlane-says-hackers-stole-password-vaults-via-a-brute-force-attack/