Dashlane advisory on stolen vaults leaves users confused

Dashlane published an advisory warning that attackers obtained 20 encrypted user vaults and that, starting on Sunday, May 31, 2026, an external party launched a brute-force attack against certain user accounts. The company said the attackers aimed to brute-force two-factor authentication (2FA) protections to register new devices on existing accounts.

Users who received 2FA prompts say they got little explanation. A UK-based customer who shared a notification screenshot contacted Dashlane through a support bot and received no clarification, then learned of the incident from Mastodon infosec posts rather than directly from the company.

Many social media threads reflect similar confusion about how a 2FA request could be triggered without a password first. Typical 2FA codes are six digits and refresh roughly every 45 seconds, though the notification in question indicated a code remained valid for three hours.

United Kingdom

dashlane, encrypted vaults, brute-force, 2fa, 2fa prompts, device registration, support bot, mastodon, infosec, six-digit codes