GoKawiilDashlane, the maker of a password manager of the same name, has shared that several users' password vaults were exposed as part of a "brute force attack." The hackers were able to download copies of the password vaults of around 20 users, though Dashlane notes that vault data is encrypted unless they have access to a user's Master Password.
The hackers didn't gain access to the password vaults by compromising Dashlane's internal systems, according to a Dashlane status page that documented the attack. Instead, they tried to game the company's two-factor authentication system, the extra security layer that requires you to provide a passcode sent over text or email along with your username and password to log in.
"The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts," Dashlane says. The attackers likely used "automated software to rapidly submit every possible number combination" into Dashlane's two-factor authentication system, basically accessing accounts through an elaborate system of trial and error.
Engadget has contacted Dashlane for more information about the attack and how it's planning to prevent future incidents. We'll update this article if we hear back.
Dashlane says its security controls automatically locked the accounts the hackers were targeting because of the high volume of login attempts. Users impacted by the attack have been notified. The company also says "traffic from threat actors has been blocked." According to Dashlane, it's "taken steps to mitigate the risk of future accidents," but the company still recommends that users review which devices are associated with their account, enable two-factor authentication and use a stronger Master Password.