Can't understand Dashlane's vault stolen notice? You're not alone.

There's a lot that doesn't add up to password manager Dashlane's security advisory released Monday, warning that attackers managed to obtain 20 encrypted user vaults.

“Starting Sunday, May 31, 2026, an external third party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute force two-factor authentication (2FA) protections to allow the attacker to register new devices to existing user accounts.”

Hello Dashlane, is anyone home?

A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday.

The UK-based user was concerned and contacted Dashlane via a support bot. Ultimately, the user did not receive any information about why the notification was sent.

“Then I found out this news came from Mastodon infosec and not from Dashlane itself,” the user told me. "I'm currently trying to find out what happened! Because how can you trigger a 2fa request if you didn't get the password first? As a paying customer, I think I should have found out from Dashlane and not the IT security people at Mastodon."

Many social media threads are full of similar comments from users who also don't understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authenticator app or sent via SMS or email. They are usually six digits long and change every 45 seconds or so, although as the notification above states, the code has remained valid for three hours.

Brute forcing is a trial-and-error method that quickly submits all possible combinations until landing on the correct one. In these hypotheses, there would be 1 million possible access codes. A successful breach would require a statistically significant percentage of them to be seized within the three-hour time limit.

While the resources required to bombard Dashlane servers with so many guesses in such a short time are possible, they are not common in typical brute force attacks. Dashlane doesn't explicitly say that it has imposed a limit on the number of submissions a user can make, although that likely seems based on the language in the advisory saying: "Due to the high volume of attempts on user accounts, Dashlane's security controls automatically locked accounts that were targeted by the attack." » Even assuming there is no rate limiting, it's hard to imagine that Dashlane servers don't choke, at least temporarily, when they receive 150,000 or more submissions in about an hour.