Hackers brute-forced Dashlane’s two-factor authentication and downloaded encrypted password vaults

TL;DR

Attackers brute-forced Dashlane’s 2FA system to register new devices on fewer than 20 accounts, downloading their encrypted password vaults. The vaults remain encrypted with master passwords Dashlane never stores, but users with weak passwords face offline cracking risk.

Dashlane disclosed on Sunday that an external attacker launched a brute-force attack against its two-factor authentication system, successfully bypassing 2FA protections on fewer than 20 personal plan user accounts and downloading copies of their encrypted password vaults. The attack, which began on 31 May, triggered automatic account lockouts across a wider set of targeted users as Dashlane’s security controls detected the high volume of authentication attempts.

The method was straightforward. Attackers used automated software to rapidly submit every possible numeric combination for time-based 2FA codes, attempting to guess the correct sequence before each short-lived code expired. When successful, this allowed them to register a new device on the targeted account,...

Copyright of this story solely belongs to thenextweb.com. To see the full text click HERE