Dashlane’s 2FA ‘Brute Force’ Claim Leaves Security Experts Baffled
Table of Contents
A Security Advisory That Raises More Questions Than Answers
Dashlane recently issued a security advisory stating that an external party managed to obtain 20 encrypted user vaults. While the company was quick to notify the affected individuals, the technical explanation provided for the breach has triggered a wave of skepticism across the cybersecurity community. According to Dashlane, the incident began on Sunday, May 31, 2026, when attackers launched a “brute force attack” specifically targeting two-factor authentication (2FA) protections to register unauthorized devices on existing accounts.
On the surface, the company’s narrative is straightforward: attackers tried to guess 2FA codes until they got in. However, for those familiar with how authentication protocols work, the math and the mechanics simply don’t align. Typically, 2FA involves a six-digit time-based one-time password (TOTP) that refreshes every 30 to 60 seconds. Brute-forcing such a system would require an attacker to cycle through up to a million combinations in a timeframe where the code remains valid.
The Math of the ‘Brute Force’ Claim
The discrepancy becomes even more glaring when looking at user evidence. One UK-based user provided a screenshot of a 2FA notification that remained valid for an unusually long window of three hours. Even with a three-hour window, the volume of requests required to successfully guess a six-digit code is immense. Without strict rate-limiting—where a server blocks an IP after a few failed attempts—Dashlane’s servers would have been bombarded with hundreds of thousands of requests per second.
While Dashlane noted that its security controls “automatically locked accounts that were targeted,” this suggests that rate-limiting was in place, which effectively makes a traditional brute-force attack on a 2FA code virtually impossible. If the system was locking accounts after a handful of failures, the attacker could never have reached the thousands of attempts necessary to find a correct code by chance.
Alternative Theories: Fatigue or Device Enrollment?
Given the lack of technical clarity, analysts are considering alternative scenarios that Dashlane may have mislabeled or glossed over. One likely candidate is a 2FA Fatigue Attack. In this scenario, an attacker already possesses the user’s primary password and repeatedly triggers push notifications to the user’s device. Eventually, the frustrated or distracted user taps “Approve,” granting the attacker access. This is a common tactic used in high-profile breaches, such as the Uber hack in 2022.
Another possibility is an exploit targeting the device enrollment process. Attackers may have found a way to trick the system into believing a new device was authorized through social engineering or a flaw in the registration handshake, rather than guessing a numeric code.
The Critical Gap in Communication
The most concerning aspect of this incident isn’t just the breach of 20 vaults, but the communication gap. The aforementioned UK user reported that they only learned about the security incident via Mastodon’s infosec community, rather than through a direct channel from Dashlane, despite having received the suspicious 2FA prompt themselves. This suggests a breakdown in the company’s incident response transparency.
Dashlane has emphasized that because the vaults are encrypted with a master password that the company does not store, the contents of the stolen vaults remain secure. While this is a fundamental strength of zero-knowledge architecture, it does not excuse the opaque description of how the perimeter was breached.
As of this writing, Dashlane has remained silent for over 48 hours following the publication of the advisory and has not responded to requests for technical clarification. Until the company provides a detailed post-mortem explaining exactly how 2FA was bypassed, the “brute force” label remains a convenient but technically improbable explanation for the event.
