Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible. The password manager provider said fewer than 20 personal user vaults were downloaded before it shut down the operation.
In a campaign that started Sunday, the unknown threat actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane’s programming interfaces for device enrollment, the attackers sent requests to large numbers of existing users’ registered email addresses. In an update published Thursday, Dashlane wrote:
The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.
In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.
The flow and strategy of the attack
When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane first verifies the account holder’s identity. This verification is completed by sending a one-time six-digit token to the user’s registered email address (or, for users who have enabled two-factor authentication, by validating a six-digit code generated by their authentication app).
For the registration to succeed, the user must enter this code into the Dashlane application. At this point, Dashlane will approve the enrollment and send a copy of the encrypted vault to the device. Vault contents remain unreadable until the user enters the master password, which acts as a decryption key. As Dashlane explains in its security documentation, the one-time password must be entered on the new, enrolling device for the registration to be successful.
Brute-forcing the one-time code for a single account—meaning iterating through every possible combination until the right one is entered—would be little more than a fool’s errand, even within the three-hour window that the codes remained valid. With 1 million possible valid codes, the attackers would have to cycle through a statistically significant percentage within that period. Rate limiting, in which a set number of requests are allowed per account, would also lock out the account.
To improve their odds, the attackers sent requests to register new devices across a large number of accounts. Then they simultaneously entered the one-time codes into each of them. In theory, attacking two accounts this way increased the odds for each try to 1 in 500,000. Attacking 1,000 accounts would increase the odds to 1 in 1,000, and so on. The more accounts that were targeted, the better the chances one of them will fall. The economics of password spraying work similarly. The technique also weakens rate limiting because the large number of attempts is spread out, limiting the number hitting any single account.
Ultimately, the 2FA spraying attack managed to hit the right combination on fewer than 20 user accounts, according to Dashlane, before it was shut down. The company said it has contacted all those users and that any user who has not already received a notification is unaffected.
For attackers to obtain the decrypted vault contents for those accounts, they would still have to crack the master password. Dashlane makes this process difficult by using an algorithm known as Argon2. It dramatically slows down and intensifies the process of converting the plain-text master password into a cryptographic hash. In turn, entering large numbers of guesses requires a tremendous amount of time and computing resources, even when the cracking is performed using GPUs or special-purpose hardware.
That means the chances of the attackers decrypting one of the encrypted vaults they obtained is very small in the event the master password was strong, meaning long, randomly generated, and has high entropy. However, not everyone uses such master passwords. In the event the master password was included in word lists exchanged by password crackers, the chances of success would be higher, although still unlikely.
Broadly speaking, the incident has similarities to the 2022 LastPass breach, which also allowed attackers to obtain encrypted user vaults. Eventually, the attackers managed to obtain decrypted information from some of them. The success was the result of two things.
First, certain fields, such as website URLs, remained unencrypted in vaults. That meant attackers could read them even without the master password. Second, some of the stolen vaults used outdated algorithms that didn’t adequately intensify the process for converting the plain-text password into a hash. Dashlane has said that no user fields in vaults are unencrypted. Further, when algorithms are periodically strengthened to account for advances in cracking abilities, the process occurs automatically, with no interaction required. The algorithm update process for LastPass vaults at the time came with more user friction.
Dashlane’s initial notification left out key details of the attack and led to considerable confusion about the ongoing risk users faced.
Out of an abundance of caution, both master passwords and the contents of any of the recovered Dashlane vaults should be changed immediately to reduce the chance, however unlikely, that the attackers succeed in breaking the master password. Unaffected Dashlane users don’t need to take any such action.
