PCMag editors select and review products independently. If you buy through affiliate links, we may earn commissions, which help support our testing.

PCMag UK

Password Manager Dashlane Reveals How a Hacker Stole Encrypted Vaults

Dashlane's update about the brute-force attack reveals a notable security gap in the 'device registration' process for the password manager.

Michael Kan
 & Michael Kan Principal Reporter

Our team tests, rates, and reviews more than 1,500 products each year to help you make better buying decisions and get more from technology.

Our Expert
LOOK INSIDE PC LABS HOW WE TEST
65 EXPERTS
43 YEARS
41,500+ REVIEWS
(Credit: Dashlane)

Dashlane, a leading password manager, has revealed that a hacker exploited a security gap in the service’s online login system to steal encrypted vaults from fewer than 20 users.

The theft occurred on Sunday, and Dashlane first reported it the next day. But that initial report left us scratching our heads because it wasn’t entirely clear how the hacker downloaded the encrypted password vaults from affected users.

(Credit: Dashlane)

At the time, the company said the hacker “launched a brute force attack," which involves systematically trying every possible combination, against Dashlane's two-factor authentication (2FA). The hacker's goal was to enter the correct combination to add their device to an existing user’s account. 

The problem is that a 2FA process typically requires a user to enter the correct password before it asks for a code, which is usually generated on a phone or sent to the user’s email address. But Dashlane indicated that no “master passwords” had been stolen, so the looted vault data should have remained encrypted and inaccessible to the attacker. 

On Thursday, the company finally provided more details, revealing an interesting quirk to Dashlane’s login system. For certain accounts, it’ll send the encrypted vault data without requiring a master password; plugging in the correct six-digit verification code is enough. 

Specifically, the hacker targeted the “device registration flow,” which lets a user add a new phone or computer to an account. Dashlane will first ask for the account holder’s email address. The process will then attempt to verify the authorization by sending a one-time 6-digit code to the user's registered email address, rather than asking for the password as the first step. The 6-digit code can also be generated on the registered authentication app

(Credit: Dashlane)

In the update, Dashlane explained: “The user enters this code into the Dashlane application, at which point Dashlane registers the device and downloads a copy of the encrypted vault to the device.” 

That sounds like a possible flaw because it also means a hacker could theoretically guess and enter the correct six-digit code to download a user’s encrypted vault. The hacker would only need to know the victim’s email address for their account, and enough tries to guess the correct code. Six digits means 1 million combinations could be tested, which almost certainly resulted in the hacker bombarding Dashlane's IT systems, as Ars Technica points out.

Recommended by Our Editors

How We Test Password Managers
How We Test Password Managers
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Still Using Passwords? It's Time to Upgrade to Passkeys Now
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely
Don't Let Your Passwords Die With You. Here's How to Share Account Access Safely

A Dashlane support page adds: “Once the device is authenticated to our server, the device can download the user’s vault in its encrypted form (cf 3.2 Encryption Model: Secrets and Protections). Then, the user can decrypt their vault by providing their Master Password.”

After our story published, Dashlane told PCMag: "We want to clarify that it is a weakness that we are strengthening with additional layers of protection, but it's not a vulnerability."

In the update, the company also noted: “Without the Master Password, a user cannot access the items inside the vault. The vault encryption (Argon2 + AES-256-CBC + HMAC-SHA256) used by Dashlane ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.”  

The company also doesn’t store “Master Passwords or their derivatives” on its servers, which might be why it was relying on six-digit codes for verification. To address the threat, Dashlane notes: “Additional layers of verification are also being added to the new device registration flow. This advisory will be updated as these changes are deployed.”

The company says it also “deployed additional protections at the network level and within the product to further detect and filter out malicious traffic," suggesting stricter rate-limiting has been implemented to prevent future brute-force attacks.

In the post, Dashlane wrote: "The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints. In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users." Still, the hacker was able to "brute force and generate valid tokens for fewer than 20 personal plan customers," the update says.

Editor's note: This story has been updated with comment from Dashlane.

About Our Expert

Michael Kan

Michael Kan

Principal Reporter

My Experience

I've been a journalist for over 15 years. I got my start as a schools and cities reporter in Kansas City and joined PCMag in 2017, where I cover satellite internet services, cybersecurity, PC hardware, and more. I'm currently based in San Francisco, but previously spent over five years in China, covering the country's technology sector.

Since 2020, I've covered the launch and explosive growth of SpaceX's Starlink satellite internet service, writing 600+ stories on availability and feature launches, but also the regulatory battles over the expansion of satellite constellations, fights with rival providers like AST SpaceMobile and Amazon, and the effort to expand into satellite-based mobile service. I've combed through FCC filings for the latest news and driven to remote corners of California to test Starlink's cellular service.

I also cover cyber threats, from ransomware gangs to the emergence of AI-based malware. In 2024 and 2025, the FTC forced Avast to pay consumers $16.5 million for secretly harvesting and selling their personal information to third-party clients, as revealed in my joint investigation with Motherboard.

I also cover the PC graphics card market. Pandemic-era shortages led me to camp out in front of a Best Buy to get an RTX 3000. I'm now following how the AI-driven memory shortage is impacting the entire consumer electronics market. I'm always eager to learn more, so please jump in the comments with feedback and send me tips.

The Best Tech I've Had:

  • My first video game console: a Nintendo Famicom
  • I loved my Sega Saturn despite PlayStation's popularity.
  • The iPod Video I received as a gift in college
  • Xbox 360 FTW
  • The Galaxy Nexus was the first smartphone I was proud to own.
  • The PC desktop I built in 2013, which still works to this day.

Read the latest from Michael Kan

Read full bio