Password manager Dashlane says hackers have stolen some customers’ password vaults

Password manager maker Dashlane says hackers obtained at least a dozen encrypted vaults used to store customer passwords during a cyberattack over the weekend.

The company said on its website that the hackers forcefully used the company’s two-factor authentication system, allowing the hackers to access about 20 customer accounts. By defeating the two-factor mechanism, the hackers were able to download a copy of some customers’ encrypted vaults, which stored their passwords and other sensitive credentials.

Dashlane said on its incident page that there was no evidence that its own systems had been compromised, but it had not yet said how the hackers were able to defeat two-factor security measures in order to access customer accounts. Two-factor is a security feature that protects accounts from being accessed using only a stolen username and password, usually by requiring an additional passcode sent to the account holder’s phone.

“The intent of the attack was to enforce two-factor authentication (2FA) protection to allow the attacker to register new devices on existing user accounts,” Dashlane said. The company said attackers could use automated software to “quickly send every possible digital combination to the system, hopefully guessing the exact sequence before a short-lived attack.” [two-factor] The security code expires.”

The company said it had “taken steps to mitigate the risks of future accidents,” without specifying what they were.

Dashlane said it informed the 20 or so customers that their crypto vaults had been stolen. It’s not yet clear whether specific customers were targeted for a reason, such as who they are or what they do for a living.

Dashlane spokespeople did not respond to a request for comment. The company did not say whether it knew who targeted its customers, or whether the hackers contacted Dashlane with a ransom demand, such as ransomware.

The company’s website says the stolen vaults are encrypted and cannot be read without the customer’s master password, which only the customer knows and is not uploaded to Dashlane in plain text. But Dashlane said customers with a master password that’s easy to guess may be more at risk of it being guessed and their password vaults being decrypted.

Data breaches affecting password management companies are rare but can have lasting consequences.

In 2022, LastPass confirmed that backups of a customer’s password vault were stolen during a cyberattack. Although the vaults were protected with passwords known only to the customer, the password requirements for early customers were much weaker than the later standard, allowing hackers to use brute force and easily guess the passwords to some customers’ vaults. There have been several reports of hackers stealing massive amounts of customers’ cryptocurrencies, most likely using private keys stored in stolen LastPass vaults whose master passwords were compromised after the hack.

A year ago, Australian software company Click Studios warned all of its customers using its main password manager, Passwordstate, to “reset all credentials” after hackers compromised its software update mechanism to plant malware on customers’ systems.