Dashlane Discloses Brute-Force Attack, Encrypted Vaults of Fewer Than 20 Users Downloaded

Password manager Dashlane has disclosed that "fewer than" 20 users on the personal subscription plan had their encrypted vaults downloaded following a brute-force attack launched by an unknown party. On May 31, 2026, the company said an "external" threat actor launched a brute-force attack against certain Dashlane user accounts with the aim of breaking two-factor authentication (2FA)

The article reports that password manager Dashlane experienced a brute-force attack in which an external threat actor targeted user accounts and successfully downloaded the encrypted vaults of fewer than 20 personal-plan users before protections locked accounts.[1][2] Dashlane states that the vaults remain encrypted and that two-factor authentication was under attack as part of the attempt to gain access.[1][2] From a CyberSE.AI perspective, this highlights SaaS risk patterns that are directly applicable to AI-powered SaaS products, where user credentials, 2FA implementations, and encryption models are central to protecting sensitive data and model-connected resources. Organizations running AI SaaS or integrating password/secret managers into AI workflows should regularly assess authentication hardening, rate limiting, anomaly detection, and incident response around user accounts and stored secrets using an AI Security Readiness Assessment.