Dateline: June 2, 2026
Introduction
Imagine logging into your password manager and getting an email saying your account is suspended. That happened to a wave of Dashlane users over the weekend.
The cause was a brute-force attack aimed at the one thing standing between an attacker and your vault: two-factor authentication.
What Happened?
The trouble started on May 31. Users began getting emails warning that their accounts were suspended because someone tried to register a new device and kept entering the wrong token. Others saw login alerts from unfamiliar countries, with Russia and Korea showing up repeatedly.
Dashlane confirmed an external party had hit certain accounts with a brute-force attack. The attacker was not guessing master passwords. The goal was to brute-force the short-lived 2FA codes so they could register new devices on existing accounts.
Because so many failed attempts piled up, Dashlane’s built-in controls automatically suspended the targeted accounts. That safety mechanism is what locked legitimate users out. The attack also disrupted the company’s email notification and 2FA systems, so some users who tried to pull up their one-time codes just got an error.
Dashlane opened an investigation at 15:19 UTC on May 31 and marked the incident resolved by 22:30 UTC the same day, then shifted the status to monitoring on June 1.
Here is the part that matters most. In a later advisory, Dashlane admitted the attackers managed to download a copy of the encrypted vaults belonging to fewer than 20 personal plan users. The company said it notified each of those users directly.
How a Brute Force Attack Works
Attackers use automated tools to repeatedly test password combinations until they discover valid credentials and gain access to an account.
The Impact
For most people, the damage was an annoying lockout and a scary email, not a real breach. Dashlane says there is no evidence its systems were compromised, and vault data cannot be opened without the master password.
The fewer than 20 copied vaults are a different story. Even encrypted, a stolen vault hands an attacker time. They can run offline guessing against the master password without any rate limit or lockout slowing them down. A weak or reused master password is the weak link there.
There is also a trust problem. Dashlane took heat on Reddit for staying quiet. Many users could not tell if the suspension emails were real or a phishing attempt, and the company shared little beyond direct emails and a few social replies. When the product is supposed to be your security anchor, silence reads as alarm.
How to Avoid This
If you got a vault notification from Dashlane, change your master password now and rotate the credentials stored inside, starting with email, banking, and anything reused.
For everyone else, make your master password long and unique, since that is the only thing protecting a copied vault. Swap SMS or code-based 2FA for a hardware key or passkey where you can, because those cannot be brute-forced the way numeric codes can.
Watch for login alerts from places you have never been, and treat any unexpected suspension email with suspicion. Go to the official site directly instead of clicking links.
When the Attack Hits Your 2FA, Who Is Watching?
This attack worked by hammering authentication until something gave. Secure.com spots that pattern before it turns into a lockout or a stolen vault.
- Flags brute-force login attempts and credential stuffing the moment the volume spikes
- Watches identity activity for logins from odd locations and unknown devices
- Catches new device registrations that do not fit a user’s normal pattern
- Correlates failed auth events so a slow attack does not slip under the radar
- Maps which accounts and systems are exposed if one identity gets popped
