Dashlane password manager users locked out by brute force attacks
by Bill Toulas · BleepingComputerMultiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.
In a statement to BleepingComputer, the password management service confirmed that the suspensions were part of an automated security response designed to protect against account hijacking.
“We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended,” stated Jordan Fylolenko, Dashlane Senior Director of Corporate Communications.
“Our team is actively engaged in this issue and taking measures to further protect customers. There is no evidence of compromise of Dashlane’s systems.”
Worried Dashlane users reported earlier today on Reddit that they received notices of suspicious access requests from foreign countries. The emails contained verification codes for legitimate account owners to register new devices.
Source: Reddit
Many users were confused because they had not initiated the requests and tried to confirm if the communication was part of a phishing attempt targeting Dashlane users.
A few hours later, Dashlane responded to some of these Reddit threads, saying that its systems were safe and the action was triggered by brute-force attacks, which seek to gain access to an account by trying multiple passwords in succession until the correct one is found.
Secure platforms implement protection measures such as rate limiting, CAPTCHA challenges, and account lockouts to block automated attacks after a threshold of failed attempts is reached.
According to Dashlane’s status page, an investigation into the incident was launched on May 31 at 15:19 UTC, and by 22:30 UTC, the issue was marked as ‘RESOLVED,’ claiming that all affected accounts had been unsuspended.
Source: BleepingComputer
Another update issued on June 1 at 07:32 UTC confirmed the same status, with Dashlane assuring that its team was monitoring the situation and was implementing additional targeted measures.
Despite the platform flagging the issue as resolved, some users continue to report login problems, mentioning that support is unresponsive.
BleepingComputer has asked Dashlane additional questions about the incident to determine the number of impacted accounts, but the company has not provided a response as of publication.
The Validation Gap: Automated Pentesting Answers One Question. You Need Six.
Automated pentesting tools deliver real value, but they were built to answer one question: can an attacker move through the network? They were not built to test whether your controls block threats, your detection rules fire, or your cloud configs hold.
This guide covers the 6 surfaces you actually need to validate.