Dashlane discloses TOTP brute-force that downloaded encrypted vaults of fewer than 20 users

Dashlane disclosed (on 2026-06-01, for an attack dated 2026-05-31) that an external actor brute-forced its TOTP second factor to download the encrypted vaults of fewer than 20 personal-plan accounts (TechCrunch, 2026-06-02). The technique abuses the bounded TOTP keyspace — one million six-digit codes per 30-second window — by submitting a high volume of attempts against the new-device-registration endpoint, where a single correct code registers a new trusted device that can then pull the vault (The Hacker News, 2026-06-02). Dashlane's rate-limiting locked the targeted accounts (since restored) and the company states its infrastructure was not compromised; vault contents remain encrypted under the user's master password, which Dashlane does not store, but weak master passwords now face offline cracking (BleepingComputer, 2026-06-01). This is structurally the same new-device-registration kill chain that enabled vault theft in the 2022 LastPass breach.