It’s possible that Dashlane’s reference to 2FA meant something else. Sometimes, 2FA can come in the form of push notifications. Once someone enters the correct account password, the notification is sent to the registered device. For the login to succeed, the user must press a button on their device that provides the second factor. A tactic known as 2FA fatigue attacking exploits the friction of this process. An attacker who has already broken the first authentication factor attempts to log in repeatedly, resulting in a push notification being sent to the target each time. After dozens or even hundreds of attempts, the target finally gives in and presses the approve button.
And of course, brute-force attacks on 2FA require the first authentication factor to already have been broken. Dashlane makes no mention of what this factor is or how it was broken.
It’s still further plausible that the attack exploited features that allow Dashlane users to enroll new devices in their accounts. Such techniques typically work by tricking the user into approving a request to approve a device owned by the attacker instead.
Dashlane said it has contacted fewer than 20 account holders whose encrypted vaults were obtained. “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account,” the company said. It also notes that without the master decryption password—which Dashlane never sees or stores—vault contents remain safe.
But without more information, we’re left with more questions than we should be. Dashlane has maintained silence for more than 48 hours since publishing the opaque advisory. Company representatives didn’t respond to an email seeking details.
