Attackers brute-forced Dashlane's device-enrollment API endpoints and downloaded fewer than 20 encrypted personal password vaults before automated lockouts ended the campaign. The operation began Sunday and was disclosed Thursday via a Dashlane security advisory.
The attack vector was Dashlane's device registration flow. When a user adds a new device, Dashlane sends a six-digit one-time token to the account's registered email. Attackers hammered the enrollment API at scale, brute-forcing valid tokens for a small subset of accounts, registering attacker-controlled devices, and pulling vault copies. Users with authenticator-app two-factor authentication were not the reported target of the successful downloads.
The full advisory is worth reading for the technical specifics of how the API lockout triggered, what the attacker actually receives with an encrypted vault, and what Dashlane is changing in response. The bigger question it raises: if brute-forcing a six-digit token space is feasible at scale, what does that say about other services using the same device-enrollment pattern.
[READ ORIGINAL →]