Full Report
Password manager Dashlane has disabled a number of user accounts as a precaution amid a spate of brute force attacks. It didn’t specify the scale of the attack, although scores of users have queried the reason for receiving emails informing them of account suspensions. “Your account has been temporarily suspended for security reasons as someone…
Analysis Summary
# Incident Report: Dashlane Brute Force and Account Suspension Spate
## Executive Summary
In early June 2026, the password management service Dashlane experienced a widespread brute-force attack targeting user accounts. In response, Dashlane proactively suspended numerous accounts where attackers failed to provide correct secondary authentication tokens during new device registration attempts. No evidence of a full system breach was reported, and the primary impact was operational disruption for legitimate users.
## Incident Details
- **Discovery Date:** June 02, 2026
- **Incident Date:** June 01–02, 2026
- **Affected Organization:** Dashlane
- **Sector:** Information Technology / Cybersecurity
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Circa June 01, 2026
- **Vector:** Brute Force / Credential Stuffing
- **Details:** External actors attempted to gain access to accounts by registering "new devices." This likely involved using previously leaked credentials (email/password) to trigger Dashlane’s device authorization flow.
### Lateral Movement
- **N/A:** There is currently no evidence of lateral movement within Dashlane’s internal infrastructure; the attack was focused on the external user authentication interface.
### Data Exfiltration/Impact
- **Data Exfiltration:** None confirmed.
- **Impact:** Legitimate users were locked out of their password vaults, causing significant operational disruption and concern regarding account security.
### Detection & Response
- **Detection:** Automated systems flagged a high volume of failed 2FA/token entries during new device registration.
- **Response Actions:** Dashlane automated the suspension of targeted accounts to prevent unauthorized access. Affected users received notification emails stating: *"Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries."*
## Attack Methodology
- **Initial Access:** Brute Force / Credential Stuffing (attempting to bypass the login portal).
- **Persistence:** Not applicable; attempts were blocked at the authentication gate.
- **Privilege Escalation:** Not applicable.
- **Defense Evasion:** Not applicable.
- **Credential Access:** Brute-forcing the "New Device Token" after likely possessing the primary account password.
- **Discovery:** Not applicable.
- **Lateral Movement:** Not applicable.
- **Collection:** Failed attempt to collect vault data.
- **Exfiltration:** Not applicable.
- **Impact:** Integrity protection through account lockout (Account Suspension).
## Impact Assessment
- **Financial:** Undisclosed; primarily related to increased customer support volume.
- **Data Breach:** None reported; brute force attempts were largely unsuccessful at reaching the encrypted vault data.
- **Operational:** "Scores of users" unable to access saved passwords until contacting support.
- **Reputational:** Moderate; while the security measures worked, the scale of the attack caused public concern among the user base.
## Indicators of Compromise
- **Network indicators:** None disclosed in the report (IPs used by attackers were not published).
- **File indicators:** N/A.
- **Behavioral indicators:** Multiple failed "New Device" registration attempts across disparate accounts; failure to provide correct 2FA/email tokens.
## Response Actions
- **Containment measures:** Proactive suspension of accounts showing suspicious login patterns.
- **Eradication steps:** Blocking of malicious origin points (presumed).
- **Recovery actions:** Instructing users to contact hxxps[://]support[.]dashlane[.]com to verify identity and restore access.
## Lessons Learned
- **Success of Rate Limiting:** Dashlane’s automated triggers for "New Device" failures successfully prevented account takeovers.
- **Communication Lag:** The sudden influx of suspension emails caused user confusion, highlighting the need for real-time status dashboard updates during mass brute-force events.
## Recommendations
- **For Users:** Ensure "Master Passwords" are unique to Dashlane and not reused on other sites to prevent credential stuffing. Enable hardware-based 2FA (e.g., YubiKey) where possible.
- **For the Organization:** Implement CAPTCHA or more aggressive IP-based rate limiting on the "New Device" registration endpoint to reduce the number of legitimate accounts that require manual restoration by support staff.