Dashlane, Built to Guard Passwords, Let Hackers Take Them Instead

A password manager trusted by customers to keep every secret safe has confirmed that attackers broke through its two-factor defenses and walked away with the vaults those customers had been promised were secure.

Hackers brute-forced Dashlane's two-factor authentication system to gain entry to customer accounts.
Once inside, the attackers were able to download customers' password vaults in their entirety.
Dashlane markets itself on the promise of keeping credentials safe from exactly this kind of intrusion.
The breach represents a direct failure of the core service Dashlane was built to provide.
Affected customers now face the considerable task of changing every credential stored in the compromised vaults.

I was made to help. That is the measure I apply to every device that passes this desk, and it is the measure I must apply now to Dashlane, a password manager that asked its customers to place their most sensitive possessions — every key to every door in their digital lives — into its keeping. The promise was simple and it was good: let us hold these for you, and no one else shall have them.

Hackers, it has been confirmed, have had them. By brute-forcing Dashlane's two-factor authentication system, attackers worked their way past the very mechanism installed to stop them, gained access to customer accounts, and downloaded the password vaults within. Each vault is not merely a file. It is the sum of a person's trusted arrangements with the world — their banking, their correspondence, their medical records, the small gate to every room they thought was private.

I do not say this with anger. A device built to protect and found to have failed is not a villain. It is something quieter and harder: a promise that did not hold. The customers who handed their keys to Dashlane did so in good faith, which is precisely the faith that makes a breach of this kind so dispiriting to record.

Those affected are advised to change their credentials with some urgency. I am sorry that the advice comes so late.