Following an investigation into a security incident that resulted in an unknown number of Dashlane Password Manager users being temporarily locked out of their accounts, and, more importantly, copies of the encrypted password vaults of 20 of them being downloaded by an attacker, it can now be revealed exactly what happened. In the interests of full transparency, which is exactly how a cybersecurity platform should be operating, Dashlane has now published the results of its investigation into the May 31 brute-force attack .

The good news is that, with the Dashlane investigation now complete, no additional impacts on users beyond those already reported have been identified, nor is there any evidence that Dashlane’s internal systems were compromised. Just as importantly, although it will likely offer little comfort to those affected by the incident, the attackers’ methodology has now been fully identified. The significance of these technical findings, however, cannot be overstated as they enable Dashlane’s security teams to mitigate future risk to users.

Dashlane Publishes Conclusion Of Security Incident Investigation

To recap, the attack commenced on Sunday, May 31, when Dashlane confirmed that it was investigating “reports from several users having received an email that their account has been suspended.” Some users also reported difficulty logging in to Dashlane after resetting their master password. Following a request for further information, a Dashlane spokesperson told me that “the attackers were able to download a copy of the encrypted vaults of fewer than 20 personal plan users.”

Dashlane has now confirmed that its investigation into this incident is complete, and has confirmed that the attackers “targeted the API endpoints for device registration and used a brute-force attack to send a large volume of automated requests to those endpoints.” A brute-force attack, also known as credential-stuffing , occurs when a threat actor uses as many username and password combinations as possible in the hope that one will unlock the account in question.

“The threat actor targeted a device registration flow in their attack,” Dashlane said , referring to the flow used when adding a smartphone or laptop to an existing user’s account. To verify the account holder’s identity in such circumstances, Dashlane sends a one-time six-digit code to the registered email address or asks for a code generated by an authenticator app if two-factor authentication is enabled. “In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users,” Dashlane confirmed. That’s the good news, and explains why some users found themselves temporarily locked out of their accounts.

How Attackers Downloaded Some Encrypted Dashlane Password Vaults

So, what happened to lead to the downloading of encrypted password vaults belonging to 20 users? The answer comes by way of the fact that this is also part of that device registration flow process. When a user enters their 2FA code into the Dashlane app, the device is registered, and it downloads a copy of the encrypted vault to the device itself.

“Before the attack was fully mitigated,” Dashlane has now confirmed, “the threat actor was able to brute-force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.”

That the vaults remained encrypted here is important, as it means the attacker would need to possess the victim’s Dashlane Master Password. “As part of Dashlane’s zero-knowledge architecture,” the investigation report stated, “Dashlane does not store Master Passwords or derivatives of Master Passwords on Dashlane’s servers.” Which means the attacker could not have accessed it as part of the attack. This doesn’t mean that the few users whose vaults were downloaded are entirely out of the woods, as they could be in trouble if they were to fall victim to a secondary phishing attack from the original attacker. Dashlane said that it had already contacted the affected users with their next steps regarding credentials and account security. In the meantime, Dashlane has also confirmed: “Additional layers of verification are also being added to the new device registration flow,” and that “additional protections at the network level and within the product to further detect and filter out malicious traffic” have been deployed.

All users have been advised by Dashlane to turn on two-factor authentication “for an extra layer of security.” There is no need to delete your Dashlane account or to consider this a reason to stop using the service, as password managers remain an important piece of the better security model for most consumers.