Password manager creator Dashlane says hackers have obtained at least a dozen encrypted wallets used to store customer passwords during a weekend cyberattack.
The company she said on her website that hackers breached the company’s two-factor authentication system, giving the hackers access to about 20 customer accounts. By defeating the two-factor mechanism, the hackers were able to download a copy of some customers’ encrypted mailboxes, which store their passwords and other sensitive credentials.
Dashlein said his incident page that there is no evidence of a breach of its own systems, but has not yet said how hackers were able to defeat its two-factor protection to gain access to customer accounts. Two-factor is a security feature that protects accounts from being accessed with only a stolen username and password, usually requiring an additional password to be sent to the account holder’s phone.
“The goal of the attack was to force two-factor authentication (2FA) protections to allow an attacker to register new devices to existing user accounts,” Dashlane said. The company said attackers can use automated software to “quickly submit every possible numeric combination to the system, hoping to guess the exact sequence before the short-lived [two-factor] security code is expiring.”
The company said it “has taken steps to mitigate the risk of future incidents,” without specifying what those were.
Dashlane said it has notified the 20 or so customers whose encrypted mailboxes were stolen. It’s not yet clear if these customers were targeted for a reason, such as who they are or what they do for a living.
Dashlane representatives did not respond to a request for comment. The company has not said whether it knows who targeted its customers or whether the hackers contacted Dashlane with demands, such as a ransom.
Stolen vaults are encrypted and cannot be read without the customer’s master password, which is known only to the customer and is not uploaded to Dashlane in plain text, says the company’s website. However, Dashlane said customers with an easily guessable master password may be at greater risk of guessing it and decrypting their password vaults.
Data breaches affecting password management companies are rare, but can have lasting consequences.
In 2022, LastPass confirmed that backups of its customer password vault were stolen during a cyber attack. While vaults were protected with passwords known only to the customer, the password requirements for early customers were much weaker than the later standard, allowing hackers to easily brute force and guess some customers’ vault passwords. There are there have been several reports of hackers stealing massive amounts of customer encryptionlikely using private keys stored in stolen LastPass vaults that had cracked master passwords after the breach.
A year earlier, Australian software house Click Studios warned all customers using its flagship password manager, Passwordstate, to “reset all credentials” after hackers breached its software update mechanism to plant malware on customer systems.
When you purchase through links in our articles, we may earn a small commission. This does not affect our editorial independence.
