Dashlane has shared more details about a coordinated attack that targeted its users and attempted to download encrypted password vaults from personal accounts. According to the password manager provider, the incident affected a very small number of users, with fewer than 20 personal vaults downloaded before the company stopped the operation.

While that number is limited, the incident is still important because it highlights how attackers are increasingly targeting account recovery and device registration flows, not just passwords directly. In this case, the attackers did not appear to break Dashlane's encryption system. Instead, they abused the process used when a user adds a new device to an existing Dashlane account.

That distinction matters. The stolen vaults were encrypted, meaning the attackers would still need the users' master passwords to read the contents. However, the fact that any encrypted vaults were downloaded at all naturally raises questions about how the attack worked, what risks remain, and what affected users should do next.

What Happened During the Dashlane Attack

The campaign began when attackers targeted Dashlane's device registration process. This is the mechanism used when a user installs Dashlane on a new phone, laptop, or browser and wants to connect it to their existing account.

To approve a new device, Dashlane verifies the user's identity. Depending on the account setup, this may involve a one-time code sent to the user's registered email address or a two-factor authentication code generated by an authenticator app.

The attackers focused on the programming interfaces used for device enrolment and sent large volumes of automated requests across many existing user accounts. Dashlane said its security systems detected the activity and automatically locked targeted accounts to protect users.

However, before the attack was fully stopped, the attackers managed to generate valid registration tokens for fewer than 20 personal plan customers. That allowed them to register new devices on those accounts and download encrypted copies of the users' password vaults.

Why the Vaults Were Still Protected

The downloaded vaults were not plain-text password lists. They were encrypted vaults, which means the attackers could not immediately read the saved passwords, notes, or other protected information.

Password managers such as Dashlane are designed around the idea that the master password is the key to decrypting the vault. Without that master password, the vault data should remain unreadable.

Dashlane also uses Argon2, a password hashing algorithm designed to slow down password guessing attempts. This makes it much harder for attackers to test large numbers of possible master passwords quickly, even when using powerful hardware.

That said, encryption strength depends heavily on the strength of the user's master password. A long, random, unique master password is much harder to crack than a short, reused, or predictable one.

How the Attack Strategy Worked

The attackers did not simply target one account and try every possible code. That would have been highly impractical because one-time codes have many possible combinations and are only valid for a limited time.

Instead, the attackers spread their attempts across many accounts. This kind of strategy increases the chance that one of the attempts may succeed somewhere, even if the chance of success for each individual account remains low.

In simple terms, the attack relied on volume. By targeting many accounts at once, the attackers improved their odds of eventually landing on a valid code for a small number of users.

The important points are:

Why This Still Matters Even If the Vaults Were Encrypted

It may be tempting to assume that encrypted vaults are harmless to attackers. In many cases, strong encryption does provide excellent protection. However, stolen encrypted vaults can still create risk if the user's master password is weak.

If a master password is short, common, reused, or based on predictable words, attackers may have a better chance of guessing it over time. This is especially true if the password appears in password-cracking wordlists or follows a familiar pattern.

For users with strong master passwords, the risk is much lower. A long, randomly generated master password with high entropy would be extremely difficult to crack.

This is why password managers always depend on two things working together:

If either side is weak, the overall protection becomes weaker.

How This Compares With the LastPass Incident

The Dashlane incident naturally brings comparisons to the 2022 LastPass breach, where attackers also obtained encrypted password vaults. In that case, the long-term impact was more serious because some vault information was eventually exposed or decrypted.

There are key differences, however. One major issue in the LastPass case was that some fields, such as website URLs, were not encrypted. That meant attackers could still see certain information even without cracking the master password.

Dashlane has said that no user fields inside its vaults are left unencrypted. This is an important distinction because it means attackers should not be able to read saved site details or other vault data without successfully decrypting the vault.

Another difference involves how password-strengthening algorithms are updated. Dashlane says improvements to its algorithms are applied automatically, without requiring user action. That reduces the risk of older vaults being left behind with weaker protection settings.

What Affected Users Should Do

Dashlane said it has contacted all users whose encrypted vaults were downloaded. If a user has not received a notification, Dashlane says they were not affected by the vault download portion of the incident.

For affected users, extra caution is still important. Even though the vaults were encrypted, changing key credentials helps reduce future risk.

Affected users should consider the following steps:

Unaffected users do not necessarily need to rotate every password, but they should still treat this as a reminder to review their master password strength and account security settings.

What Unaffected Users Can Learn From This

Even if most Dashlane users were not affected, the incident is a good reminder that password manager security is not only about the vault itself. Attackers may also target login flows, device enrolment, recovery processes, email accounts, and authentication systems.

For any password manager user, a strong security setup should include:

The email account is especially important because many services use email for verification, recovery, or device approval. If an attacker controls the email account, they may have more opportunities to attack other accounts connected to it.

Dashlane's Communication Could Have Been Clearer

One criticism around the incident is that Dashlane's early notification did not provide enough detail. This led to confusion among users about what had happened, whether their vaults had been downloaded, and what level of risk they faced.

Clear communication is extremely important during security incidents. Users need to know whether they are affected, what data may have been accessed, what remains protected, and what actions they should take.

To Dashlane's credit, the company later explained more about the attack and confirmed that affected users had been contacted. Still, the incident shows how important it is for security companies to communicate quickly and clearly when user trust is at stake.

Final Thoughts

The Dashlane incident is a reminder that even security-focused services can be targeted through account workflows rather than direct encryption attacks. In this case, the attackers abused the device registration process and managed to download fewer than 20 encrypted personal vaults before the operation was stopped.

The good news is that the vaults remained encrypted, and attackers would still need the master passwords to read the contents. For users with strong, random master passwords, the risk of successful decryption is likely very low.

However, affected users should still act carefully by changing their master password and replacing important passwords stored in the vault. Unaffected users can use this incident as a reminder to strengthen their own account security, especially by using a strong master password and enabling two-factor authentication.

Password managers remain useful and important tools, but they are not magic shields. They work best when paired with strong authentication habits, secure email accounts, and careful user practices.