[NEWSLETTER]score: 0.68

Dashlane Device-Enrollment API Abuse Allowed Encrypted Vault Downloads on 20 Accounts

June 9, 2026

Attackers exploited Dashlane's device-enrollment API to brute-force 2FA tokens, register attacker-controlled devices, and download encrypted vaults for fewer than 20 accounts. Argon2 key derivation limits offline cracking, but weak or reused master passwords remain the residual risk.

HOW THIS AFFECTS YOU

●

builderThis is a concrete example of rate-limiting failures on enrollment APIs — audit your own device-registration flows for 2FA token brute-force exposure.

●

policyThe incident illustrates how strong encryption at rest doesn't compensate for weak enrollment API controls, relevant for credential manager compliance assessments.

read original ↗arstechnica.com

← back to feed