Password supervisor maker Dashlane says hackers have obtained a minimum of a dozen encrypted vaults used for storing buyer passwords throughout a weekend cyberattack.
The corporate said on its website that hackers brute-forced the corporate’s two-factor authentication system, granting the hackers entry to about 20 buyer accounts. By defeating its two-factor mechanism, the hackers had been capable of obtain a duplicate of sure prospects’ encrypted vaults, which retailer their passwords and different delicate credentials.
Dashlane stated on its incident page that there was no proof of compromise of its personal techniques, however it has not but stated how the hackers had been capable of defeat its two-factor protections so as to entry buyer accounts. Two-factor is a safety characteristic that protects accounts from being accessed with only a stolen username and password, sometimes by requiring an extra passcode to be despatched to the telephone of the account holder.
“The objective of the assault was to brute-force two-factor authentication (2FA) protections to permit the attacker to register new gadgets on current person accounts,” stated Dashlane. The corporate stated that attackers can use automated software program to “quickly submit each attainable numeric mixture to the system, hoping to guess the precise sequence earlier than the short-lived [two-factor] safety code expires.”
The corporate stated it has “taken steps to mitigate the danger of future incidents,” with out saying what these had been.
Dashlane stated it has notified the 20 or so prospects whose encrypted vaults had been stolen. It’s not but clear if the particular prospects had been focused for a cause, akin to due to who they’re or what they do for a residing.
Spokespeople for Dashlane didn’t reply to a request for remark. The corporate has not stated if it is aware of who focused its prospects, or if the hackers contacted Dashlane with calls for, akin to a ransom.
The stolen vaults are scrambled and can’t be learn with out the shopper’s grasp password, which is just recognized by the shopper and isn’t uploaded to Dashlane in plaintext, the company’s website says. However Dashlane stated that prospects with an simply guessed grasp password could also be at higher threat of getting it guessed and their password vaults decrypted.
Information breaches affecting password supervisor firms are uncommon however can have lasting penalties.
In 2022, LastPass confirmed that customer password vault backups were stolen throughout a cyberattack. Whereas the vaults had been protected with passwords solely recognized to the shopper, the password necessities for early prospects had been far weaker than the later commonplace, permitting hackers to brute-force and simply guess the passwords of some prospects’ vaults. There have been several reports of hackers stealing vast amounts of customers’ crypto, probably by utilizing personal keys saved in stolen LastPass vaults that had their grasp passwords cracked following the breach.
A 12 months earlier, Australian software program home Click on Studios warned all of its prospects who use its flagship password supervisor, Passwordstate, to “reset all credentials” after hackers compromised its software program replace mechanism to plant malware on buyer techniques.
While you buy via hyperlinks in our articles, we may earn a small commission. This doesn’t have an effect on our editorial independence.
