Dashlane reports on coordinated hacking campaign targeting user password vaults

Dashlane reported that attackers executed a coordinated hacking campaign aimed at recovering encrypted password vaults from its users. The company stated that fewer than 20 personal user vaults were downloaded before the operation was halted. The campaign began on Sunday, with the attackers exploiting the mechanism that allows users to add new devices to their accounts. By targeting Dashlane's programming interfaces for device enrollment, the attackers sent requests to numerous registered email addresses of existing users. In a security update published on Thursday, Dashlane explained that the threat actor targeted the API endpoints for device registration and employed a brute force attack to generate a high volume of automated requests. Dashlane's automated security systems responded by locking out the targeted accounts to protect users. However, before the attack was fully mitigated, the attackers managed to generate valid tokens for fewer than 20 personal plan customers, enabling them to register new devices and download copies of the encrypted vaults.