GoKawiilThere’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults.
“Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.”
Hello, Dashlane, anybody home?
Scores of social media discussions are filled with users who don’t understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. They’re typically six digits long and change every 45 or so seconds. Brute-forcing is a trial-and-error method that rapidly submits every possible combination until landing on the right one. Under these assumptions, there would be 1 million possible passcodes. A successful breach would require a statistically significant percentage of them to be entered within the 45-second window.
While the resources needed to bombard Dashlane servers with that many guesses in such a short period of time are possible, they’re not commonly found in usual brute-force attacks. Dashlane doesn’t explicitly say it placed a rate limit on the number of submissions a user can make, although it appears likely based on language in the advisory saying “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” Even assuming there was no rate limiting, it’s hard to imagine Dashlane servers not at least temporarily choking when receiving 150,000 or more 2FA submissions in under a minute.