Dashlane explains how the attackers downloaded the encrypted password vault.

Dashlane said the attackers launched a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible. The password management provider said fewer than 20 personal user vaults were downloaded before shutting down the operation.

In a campaign that began on Sunday, the unknown actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane's APIs for device registration, the attackers sent requests to a large number of registered email addresses of existing users. In an update posted on Thursday, Dashlane wrote:

The threat actor targeted API endpoints for device registration and used a brute force attack to send a high volume of automated requests to these endpoints.

In response, Dashlane's automated security systems worked as intended, triggering an automatic lockout of targeted accounts to protect these users. Before the attack was fully mitigated, the threat actor was able to use brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device to those accounts and download copies of the users' encrypted vaults.

The course and strategy of the attack

When a user installs the Dashlane app on a new device and attempts to enroll it into their existing account, Dashlane first verifies the identity of the account holder. This verification is completed by sending a unique six-digit token to the user's registered email address (or, for users with two-factor authentication enabled, by validating a six-digit code generated by their authenticator application).

For registration to be successful, the user must enter this code in the Dashlane app. At this point, Dashlane will approve the registration and send a copy of the encrypted vault to the device. The contents of the vault remain unreadable until the user enters the master password, which acts as the decryption key. As Dashlane explains in its security documentation, the one-time password must be entered on the new registration device for registration to be successful.