Password manager Dashlane says hackers stole some customers’ password vaults

Password manager shaper Dashlane says hackers person obtained astatine slightest a twelve encrypted vaults utilized for storing lawsuit passwords during a play cyberattack.

The institution said connected its website that hackers brute-forced the company’s two-factor authentication system, granting the hackers entree to astir 20 lawsuit accounts. By defeating its two-factor mechanism, the hackers were capable to download a transcript of definite customers’ encrypted vaults, which store their passwords and different delicate credentials.

Dashlane said connected its incidental page that determination was nary grounds of compromise of its ain systems, but it has not yet said however the hackers were capable to decision its two-factor protections successful bid to entree lawsuit accounts. Two-factor is simply a information diagnostic that protects accounts from being accessed with conscionable a stolen username and password, typically by requiring an further passcode to beryllium sent to the telephone of the relationship holder.

“The extremity of the onslaught was to brute-force two-factor authentication (2FA) protections to let the attacker to registry caller devices connected existing idiosyncratic accounts,” said Dashlane. The institution said that attackers tin usage automated bundle to “rapidly taxable each imaginable numeric operation to the system, hoping to conjecture the nonstop series earlier the short-lived [two-factor] information codification expires.”

The institution said it has “taken steps to mitigate the hazard of aboriginal incidents,” without saying what those were.

Dashlane said it has notified the 20 oregon truthful customers whose encrypted vaults were stolen. It’s not yet wide if the circumstantial customers were targeted for a reason, specified arsenic due to the fact that of who they are oregon what they bash for a living.

Spokespeople for Dashlane did not respond to a petition for comment. The institution has not said if it knows who targeted its customers, oregon if the hackers contacted Dashlane with demands, specified arsenic a ransom.

The stolen vaults are scrambled and cannot beryllium work without the customer’s maestro password, which is lone known by the lawsuit and is not uploaded to Dashlane successful plaintext, the company’s website says. But Dashlane said that customers with an easy guessed maestro password whitethorn beryllium astatine greater hazard of having it guessed and their password vaults decrypted.

Data breaches affecting password manager companies are rare, but tin person lasting consequences.

In 2022, LastPass confirmed that customer password vault backups were stolen during a cyberattack. While the vaults were protected with passwords lone known to the customer, the password requirements for aboriginal customers were acold weaker than the aboriginal standard, allowing hackers to brute-force and easy conjecture the passwords of immoderate customers’ vaults. There person been respective reports of hackers stealing immense amounts of customers’ crypto, apt by utilizing backstage keys stored successful stolen LastPass vaults that had their maestro passwords cracked pursuing the breach.

A twelvemonth earlier, Australian bundle location Click Studios warned each of its customers who usage its flagship password manager, Passwordstate, to “reset each credentials” aft hackers compromised its bundle update mechanics to works malware connected lawsuit systems.