In a sophisticated cyberattack, threat actors targeted Dashlane users by exploiting the password manager’s device enrollment system. The attackers launched a coordinated campaign beginning last Sunday, aiming to download encrypted password vaults from as many accounts as possible before Dashlane intervened. The breach was contained before significant damage occurred, with fewer than 20 personal account vaults accessed.
Attackers abused device enrollment to bypass security
The threat actors focused on Dashlane’s device registration APIs, which allow users to add new devices such as computers or phones to their accounts. By sending a high volume of automated requests to these endpoints, the attackers attempted to brute-force their way into user accounts. Dashlane’s automated security systems detected the suspicious activity and locked down the targeted accounts to prevent unauthorized access.
Despite the rapid response, the attackers managed to generate valid enrollment tokens for fewer than 20 personal plan customers. This allowed them to register new devices on those accounts and download copies of the users’ encrypted vaults. Dashlane confirmed in a security advisory that the breach was limited in scope and that no financial or highly sensitive data was compromised.
How Dashlane’s device enrollment works—and how it was exploited
When a user installs the Dashlane app on a new device, the system initiates an identity verification process. Dashlane sends a one-time six-digit token to the user’s registered email address, which must be entered to complete the enrollment. For users with two-factor authentication enabled, the token is instead generated by their authentication app.
The attackers bypassed this safeguard by abusing the API’s lack of rate limiting during the initial device enrollment phase. By automating requests to these endpoints, they could test countless email addresses against the system until a valid token was generated. Dashlane emphasized that its core encryption remained intact, meaning the vaults downloaded by the attackers were still protected by their encryption keys.
What Dashlane users should do next
Dashlane has not disclosed whether any user data was decrypted as a result of the attack. However, the company advises all users to review their account activity and enable two-factor authentication if they haven’t already. The threat actor’s method relied on brute-force tactics, making strong account security measures critical to preventing future incidents.
For users who may have been targeted, Dashlane recommends changing passwords for any accounts stored in their vaults, especially if the same credentials were reused elsewhere. While the breach was limited, it underscores the importance of vigilance in password management and account security.
Looking ahead, Dashlane is likely to enhance its API rate limits and introduce additional verification steps for device enrollment to prevent similar attacks. Users should stay informed about security updates and adopt best practices to protect their digital identities.
AI summary
Dashlane kullanıcılarını hedef alan saldırıda 20'den az parola kasası indirildi. Saldırının nasıl gerçekleştiğini ve verilerinizin nasıl korunduğunu öğrenin.
