What was the nature of the hacking campaign against Dashlane?

The attack was a high-volume brute-force campaign targeting Dashlane's user accounts, specifically focusing on its device registration API endpoints.

What is Dashlane's approach to protecting user data?

Dashlane uses a zero-knowledge architecture and an encryption stack that includes Argon2 + AES-256-CBC + HMAC-SHA256 to protect user data.

Why is this vulnerability significant for the adult industry?

The vulnerability could have significant implications for the adult industry as password managers like Dashlane are often used to store sensitive information, including login credentials for adult websites.

Dashlane Hack Highlights Two-Factor Authentication Vulnerability

Q: How did the attackers bypass 2FA protections in Dashlane?

By successfully guessing valid 6-digit one-time tokens for a subset of accounts, the attackers were able to complete the registration flow and download encrypted vault copies without the account holder's knowledge.

Recent attack on password manager Dashlane exploits TOTP 2FA codes limitation, downloading encrypted vaults of fewer than 20 personal plan users.

A recent hacking campaign against password manager Dashlane has highlighted a vulnerability in two-factor authentication (2FA) systems that could have significant implications for the adult industry. The attackers successfully brute-forced their way past 2FA protections on fewer than 20 personal plan user accounts, downloading copies of their encrypted password vaults.

The attack began on May 31, 2026, when an external threat actor launched a high-volume brute-force campaign against Dashlane's user accounts. The attacker focused specifically on the platform's device registration API endpoints, flooding them with automated requests designed to guess the 6-digit one-time tokens sent via email or generated by authenticator apps.

What Happened

Dashlane's automated security systems responded as intended, triggering automatic lockouts across targeted accounts before the attack was fully contained. The threat actor exploited Dashlane's device registration flow, which is triggered whenever a user adds a new device to their account. Upon successful 2FA verification, Dashlane registers the device and automatically downloads a copy of the encrypted vault to that device.

By brute-forcing valid 6-digit tokens for a subset of accounts, attackers were able to complete the registration flow, effectively authorizing the device and downloading encrypted vault copies without the account holder's knowledge. Fewer than 20 personal plan users had their encrypted vaults exfiltrated, and all affected users were directly notified by Dashlane.

Background and Context

Dashlane uses a zero-knowledge architecture to protect user data, which means that even with a copy of the vault, an attacker cannot access its contents without the master password. The encryption stack used by Dashlane includes Argon2 + AES-256-CBC + HMAC-SHA256, making brute-forcing the Master Password statistically infeasible even over extended timeframes.

The attack exploited a fundamental limitation of time-based one-time password (TOTP) 2FA codes: they are typically six digits, giving only one million possible combinations per 30-second window. Automated systems can submit thousands of attempts per second, and if rate limiting is insufficiently aggressive, the probability of guessing a valid code within its lifespan becomes non-trivial over many attempts.

Why It Matters to the Industry

The vulnerability exploited by the attackers highlights the importance of robust 2FA systems in protecting user data. In the adult industry, where sensitive information is often stored and transmitted, strong authentication mechanisms are crucial to preventing unauthorized access. The use of TOTP codes, while convenient for users, can be vulnerable to brute-force attacks if not properly implemented.

The attack also underscores the need for regular security updates and patches to prevent exploitation of known vulnerabilities. Dashlane's response to the incident, including blocking malicious traffic at the network level and deploying additional verification layers to the device registration flow, demonstrates the importance of having robust security controls in place.

What Comes Next

Dashlane has taken steps to mitigate the vulnerability, including hardening API endpoint protections to detect and filter future malicious traffic. The company has also notified all affected users and recommended that they change their master passwords as a precautionary measure.

The incident serves as a reminder for adult industry platforms and operators to review their own security measures and ensure that they are implementing robust 2FA systems to protect user data. By staying vigilant and proactive in addressing potential vulnerabilities, the industry can minimize the risk of similar attacks in the future.

Key Facts

The attack began on May 31, 2026, when an external threat actor launched a high-volume brute-force campaign against Dashlane's user accounts.
The attacker focused specifically on the platform's device registration API endpoints, flooding them with automated requests designed to guess the 6-digit one-time tokens sent via email or generated by authenticator apps.
Dashlane's automated security systems responded as intended, triggering automatic lockouts across targeted accounts before the attack was fully contained.
Fewer than 20 personal plan users had their encrypted vaults exfiltrated, and all affected users were directly notified by Dashlane.
The encryption stack used by Dashlane includes Argon2 + AES-256-CBC + HMAC-SHA256, making brute-forcing the Master Password statistically infeasible even over extended timeframes.