There's so much I don't understand in Dashlane's disclosure that an attack on its user accounts resulted in the threat actor obtaining 20 encrypted vaults.

https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts?7194ef805fa2d04b0f7e8c9521f97343

What does it mean to brute force 2fa? Are we talking about TOTPs? That doesn't make sense because TOTPs change every 30-90 seconds, so there's no way for an attacker to meaningfully exhaust key space before it resets all over -- unless the attacker has the ability to pump all 7,700 combinations in <90 seconds, and DL doesn't have any sort of rate limiting.

Also, if the attacker is brute forcing 2fa, doesn't that by necessity mean the attacker already defeated the first factor? How did that occur?

I don't know if my confusion is the result of me not knowing the how the Dashlane product works or if it's just Dashlane being opaque.

Can anyone help me read the tea leaves?

Security advisory: Brute force attack on Dashlane user accounts

Published on Monday, June 1, 2026Update added on Thursday, June 4, 2026, noting completion of the incident investigation with confirmation of no additional impact to Dashlane customers or systems. ...

Dashlane
@dangoodin you only need to try every option if you want to guarantee getting into a particular account. If you try a small number of codes against a large number of accounts, statistically some of them will match. And if that locks out the rest of the accounts, so be it...
@cibyr and that’s essentially a denial of service, so if you’re trying to hurt the company, job done
@dangoodin

@cibyr

Right, but to brute force 2FA, don't you first have to break the first authentication factor? That would mean the number of accounts you can brute force is limited to only those you have already compromised.

@dangoodin @cibyr yeah this type of multi user attack doesn't really make much sense, you still only get one try per request. A second factor is usually six decimal digits, meaning the attacker has a one in a million chance of outright guessing it. Usually rate limiting should kick in before anything gets broken.
@sophieschmieg @dangoodin @cibyr Unless the attacker has access to a botnet that can submit one guess from each of 10,000 zombies with unique IP addresses, dodging many rate limit strategies. Given only a hundred accounts, the likelihood of one success over a period of time is very high.

@dangoodin @cibyr Dashlane works with APIs keys. If you have the API key, you can download the vault. The API key is protected by an emailed 6 digit code. An attacker only needs the email to try to register a new device. Once the attacker has the vault they can crack it offline.

Last I checked they used Argon2d m=32MiB, t=3, p=2. Which means an attacker should get around 3500 guesses/second on an RTX 5080. At only 32 MiB it will be bandwidth limited:
(GPU memory bandwidth) / (32*1024*1024*(3*3-1))
So
960,000,000,000 / 268,435,456 = 3576 H/s

@dangoodin Without addressing the specifics of this case (about which I know no more than the public info), some 2fa authentication code implementations can be vulnerable if they are not properly rate limited or otherwise protected against high speed stuffing. Usually of course 2fa follows a successful id/password authentication, though not always.

@lauren

Right, but none of that addresses the questions I'm asking here.

@dangoodin You asked about TOTP. Yes, a broken implementation can be stuffed.

@lauren

Yes, with more than 4,000 guesses in 40 seconds to be successful. That sounds possible, but also leaves a large margin for doubt.

@dangoodin It's doable. And it happens. Set enough automated systems to work at it and it can succeed enough to be profitable, just like spam. Low percentage success doesn't mean they don't do it.

@lauren it reminds me of AuthQuake:

The vulnerability identified by Oasis, at its core, concerns a lack of rate limit and an extended time interval when providing and validating these one-time codes, thereby allowing a malicious actor to rapidly spawn new sessions and enumerate all possible permutations of the code (i.e., one million) without even alerting the victim about the failed login attempts.

@dangoodin

Microsoft MFA AuthQuake Flaw Enabled Unlimited Brute-Force Attempts Without Alerts

Microsoft’s MFA flaw, AuthQuake, let attackers bypass protections in 3 minutes. Fixed October 2024.

The Hacker News

@dangoodin the article states that they did automatically protect against high rates

@lauren

@GuillaumeRossolini @dangoodin If you can't stuff it, and if it is a TOTP system, the only other likely possibilities involve issues like deeper implementation issues (e.g., more than one response will match, making the search space much smaller, etc.). Or there's something else going on entirely. Not enough info.

@lauren oh yes the article is definitely low on details and it reads like they are using words that may bring some empathy

I’m guessing there was a combination of a leak somewhere that allowed the attacker to spray passwords, identifying the accounts they could even try to attack further

Then the brute force aspect on those, but really, how fast did their automated system catch on? Can it be called a brute force attack if each account saw 5 tries before being put on hold?

Or did they consider that because of how many accounts were targeted (which they don’t say), it still counts as brute forcing?

And this gem

Our team has taken steps to mitigate the risk of future incidents and continue to harden our resiliency

@dangoodin

@dangoodin it may only be 20 encrypted vaults but i reckon a lot more users affected. Because I'm one of them.

@dangoodin

No rate limiting? No lockout or cooldown after n failures?

Or just let 'em rip at one guess every 30ms?

@bradr @dangoodin Rate limiting is hard to do well. If you apply it per client IP, then a big botnet can all guess in parallel. If you apply it per account, then an attacker in one place can lock out the legitimate user wherever they are.

@dangoodin the "MFA" thing is misleading. Registering a device ONLY requires the email address & a 6-digit numeric "OTP" (e.g. TOTP or OTP via email iirc) which they call "2FA/MFA". Afterwards you can then access the vault "offline", see 4.1.2 here: https://support.dashlane.com/hc/en-us/articles/32877433567634-4-Credential-security-in-detail

Not quite sure what "brute force" means here. For non-TOTP this could be an issue with OTP lifetime? For TOTP this could just be "randomly trying with a 1 in 100000 chance untl you get lucky a few times"?

It's a baffling decision & there is a reason other password managers don't just require an OTP to access the vault. It's also terrible communication imo.

@nyanbinary @dangoodin Wait, what? A username and a one-time code of some type is all you need to download the vault for offline attack? And it sounds they don’t invalidate the last email OTP when a new one is sent? That seems deeply flawed.
@bob_zim @dangoodin I dont know about the lifetime of email OTPs, I didn't test with those ftr

@dangoodin

How about that it was an inside job and this is just the cover story?