Dashlane issues opaque advisory warning 20 encrypted vaults were stolen

There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults. “Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said . “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.” Hello, Dashlane, anybody home? A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday. The UK-based user was concerned and contacted Dashlane through a support bot. Ultimately the user got no information about why the notification was sent. “Then [I] discovered this news from Mastodon infosec and not Dashlane themselves,” the user told me. “Currently trying to find out what has happened! Because how can you trigger a 2fa request if you haven’t got the password 1st? As a paying customer I think I should have known about this from Dashlane and not Mastodon infosec folks.” Scores of social media discussions are filled with similar comments from users who also don’t understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. …