Dashlane explains how attackers managed to download encrypted password vaults

Dashlane said attackers mounted a coordinated campaign that abused the company’s device-enrollment APIs to send automated requests to large numbers of users’ registered email addresses. Its automated security systems triggered account lockouts, but the operation allowed attackers to brute force and generate valid tokens for fewer than 20 personal-plan customers before the company shut down the activity and contacted those users.

The attack exploited the flow that enrolls a new device: Dashlane sends a one-time six-digit token to a user’s email (or validates a six-digit code from an authentication app for users with 2FA), and the code must be entered on the new device for registration to succeed.

Rather than brute-forcing a single account’s code within the codes’ validity window, the attackers sprayed many accounts at once, increasing the odds of a successful guess while limiting the number of attempts against any one account.

dashlane, password vaults, device enrollment, apis, attackers, one-time token, brute force, account lockouts, 2fa, credential spraying