Updated June 2: This article has been updated with details of an official security advisory and customer FAQ regarding the Dashlane Password Manager brute-force attack security incident, along with confirmation that some encrypted password vaults were downloaded by the attacker.

Dashlane users are reporting that their accounts have been temporarily suspended after the password manager confirmed it was targeted by a brute-force attack. The number of affected users has not been disclosed; however, Dashlane has now confirmed that “fewer than 20” encrypted password vaults belonging to personal users were also downloaded by the attacker.

Impacted users received emails that read: “Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn’t enter the correct token after several tries.” These users were also advised to contact customer support.

The brute-force attacks appear to have started on Sunday, May 31, when Dashlane confirmed that it was investigating “reports from several users having received an email that their account has been suspended.” Dashlane also said that some users were “experiencing difficulties in logging in to Dashlane after resetting their master password.” Later the same day, Dashlane updated that status message to say that the situation had been resolved, saying that “certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security measures.”

Attackers Also Downloaded Copy Of A Small Number Of Dashlane Encrypted Password Vaults

I reached out to Dashlane for further clarification and Jordan Fylonenko, its senior director of corporate communications, confirmed that “there is no evidence that Dashlane’s internal system has been impacted.” Fylonenko also advised that Dashlane has now published an official security advisory and customer FAQ, which provides “additional details of the incident, investigation status, impact to user accounts, and steps we’ve taken to protect customers.”

The advisory included further details of the attack itself, noting that the goal was to “brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.” Brute-force attacks are generally large in nature, and the Dashlane incident appears no different. “Because of the high volume of attempts on user accounts,” the advisory continued, “Dashlane’s security controls automatically locked accounts that were targeted by the attack.”

Dashlane also confirmed that “the attackers were able to download a copy of the encrypted vaults of fewer than 20 personal plan users.” While the number is small, any downloading of encrypted password vaults is likely to cause broader concern among service users. “We have directly notified each of these users,” Dashlane said, adding that anyone who has not had such a message relating to vault risk, “there is no impact to your Dashlane account.”

Without the user’s master password, these downloaded accounts cannot be accessed. Which is good news if you have a strong and unique one, as you should. Less so if you have not taken your master password creation as seriously as you should. That said, Dashlane added: “Our vault encryption ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.”

What Dashlane Users Should Know About Brute Force Attacks

A brute-force attack, also known as credential-stuffing , occurs when a threat actor uses as many username and password combinations as possible in the hope that one will unlock the account in question. Most often, the credentials being used will have come from dark web marketplaces where databases of leaked and compromised passwords are traded.

This is important for Dashlane users to understand, as it suggests that this incident is part of an opportunistic campaign rather than pointing to the discovery of any security vulnerability with Dashlane itself. This has been made clear by Dashlane itself in postings on X , as well as the previously referenced status messages.

As well as not sharing account passwords, users are advised by Dashlane to turn on two-factor authentication “for an extra layer of security.” There is no need to delete your Dashlane account or to consider this a reason to stop using the service, as password managers remain an important piece of the better security model for most consumers.