# Can't Make Sense of Dashlane's Vault Theft Notification? You're Not Alone π€―π
Guys, I had to circle back to this story because it genuinely keeps getting me β and if you use Dashlane like many of us do for your password vaults (or at least one of them), then this is worth paying serious attention. As reported by Dan Goodin over at Ars Technica on June 3rd, 2026, an external party launched a brute-force attack against certain user accounts starting May 31st and managed to steal fewer than twenty encrypted vaults β but the whole thing has left scores of users completely baffled because Dashlane's official advisory basically reads like it was written by someone on autopilot. The core message was simple enough: attackers brute-forced two-factor authentication protections with the goal of registering new devices on existing accounts, and if your encrypted vault was obtained you'd get a specific notification about "vault risk." But here's where things went sideways β so many Dashlane users were actually finding out this news from Mastodon infosec communities rather than directly through company communications, including one UK-based user who received the 2FA request on Sunday, contacted the support bot and got basically nothing back in return. And honestly I can see why: what does "brute-forced two-factor authentication" even mean when you're a regular person? We typically think of 2FA as that six-digit code from your authenticator app or SMS/text message, changing every forty-five seconds β but this attack may have involved codes lasting up to three hours (based on the notification screenshot), meaning attackers had thousands upon thousands more possible combinations per attempt window. In fact we're potentially looking at an attacker bombarding Dashlane's servers with 150,000 plus submissions in as little as one hour β and while it appears they did place rate limits since their security controls "automatically locked accounts that were targeted by the attack," you have to wonder exactly how many of those million-possible-codes had to be tried for any given vault.
What keeps me coming back around on this is all the ambiguity, because we still don't know a bunch of things: Was it standard one-time-code brute-force or was there 2FA fatigue involved (where an attacker repeatedly prompts you with push notifications until someone just clicks "approve" to make them go away)? What about that critical first authentication factor β Dashlane explicitly says no mention of what broke and how? And did the attack exploit those new-device-enrollment features we all use when setting up a fresh phone or laptop, essentially tricking us into approving an attacker-owned device instead? The silver lining is that under the standard password manager model, our master decryption password never gets stored by Dashlane β vault contents remain safe without it. But with fewer than twenty users actually affected out of millions in their database and over forty-eight hours passing since publication with zero follow-up word from company representatives (including no response to an email seeking details), this is classic opaque security communication: the headline looks scary, but only two dozen people were truly impacted while most others just got confused. It feels like Dashlane published as fast as they could rather than taking extra time before publishing β which for a password manager whose entire selling point is being bulletproof? That's exactly why you need to pay attention when something goes wrong.
**Source:** https://arstechnica.com/security/2026/06/dashlane-issues-opaque-advisory-warning-20-encrypted-vaults-were-stolen/
Guys, I had to circle back to this story because it genuinely keeps getting me β and if you use Dashlane like many of us do for your password vaults (or at least one of them), then this is worth paying serious attention. As reported by Dan Goodin over at Ars Technica on June 3rd, 2026, an external party launched a brute-force attack against certain user accounts starting May 31st and managed to steal fewer than twenty encrypted vaults β but the whole thing has left scores of users completely baffled because Dashlane's official advisory basically reads like it was written by someone on autopilot. The core message was simple enough: attackers brute-forced two-factor authentication protections with the goal of registering new devices on existing accounts, and if your encrypted vault was obtained you'd get a specific notification about "vault risk." But here's where things went sideways β so many Dashlane users were actually finding out this news from Mastodon infosec communities rather than directly through company communications, including one UK-based user who received the 2FA request on Sunday, contacted the support bot and got basically nothing back in return. And honestly I can see why: what does "brute-forced two-factor authentication" even mean when you're a regular person? We typically think of 2FA as that six-digit code from your authenticator app or SMS/text message, changing every forty-five seconds β but this attack may have involved codes lasting up to three hours (based on the notification screenshot), meaning attackers had thousands upon thousands more possible combinations per attempt window. In fact we're potentially looking at an attacker bombarding Dashlane's servers with 150,000 plus submissions in as little as one hour β and while it appears they did place rate limits since their security controls "automatically locked accounts that were targeted by the attack," you have to wonder exactly how many of those million-possible-codes had to be tried for any given vault.
What keeps me coming back around on this is all the ambiguity, because we still don't know a bunch of things: Was it standard one-time-code brute-force or was there 2FA fatigue involved (where an attacker repeatedly prompts you with push notifications until someone just clicks "approve" to make them go away)? What about that critical first authentication factor β Dashlane explicitly says no mention of what broke and how? And did the attack exploit those new-device-enrollment features we all use when setting up a fresh phone or laptop, essentially tricking us into approving an attacker-owned device instead? The silver lining is that under the standard password manager model, our master decryption password never gets stored by Dashlane β vault contents remain safe without it. But with fewer than twenty users actually affected out of millions in their database and over forty-eight hours passing since publication with zero follow-up word from company representatives (including no response to an email seeking details), this is classic opaque security communication: the headline looks scary, but only two dozen people were truly impacted while most others just got confused. It feels like Dashlane published as fast as they could rather than taking extra time before publishing β which for a password manager whose entire selling point is being bulletproof? That's exactly why you need to pay attention when something goes wrong.
**Source:** https://arstechnica.com/security/2026/06/dashlane-issues-opaque-advisory-warning-20-encrypted-vaults-were-stolen/