Dashlane TOTP brute-force — encrypted vaults of <20 personal-plan users downloaded

Dashlane disclosed (on 2026-06-01, for an attack dated 2026-05-31) that an external actor brute-forced its TOTP second factor to download the encrypted vaults of fewer than 20 personal-plan accounts (TechCrunch, 2026-06-02). The technique abuses the bounded TOTP keyspace — one million six-digit codes per 30-second window — by submitting a high volume of attempts against the new-device-registration endpoint, where a single correct code registers a new trusted device that can then pull the vault (The Hacker News, 2026-06-02). Dashlane's rate-limiting locked the targeted accounts (since restored) and the company states its infrastructure was not compromised; vault contents remain encrypted under the user's master password, which Dashlane does not store, but weak master passwords now face offline cracking (BleepingComputer, 2026-06-01). This is structurally the same new-device-registration kill chain that enabled vault theft in the 2022 LastPass breach.

Defender takeaway: TOTP is a shared-secret factor with a small enumerable keyspace; for credential-manager and high-value account authentication, migrate to phishing-resistant FIDO2/WebAuthn or passkeys, which are not brute-forceable, and enforce aggressive per-account back-off plus alerting on rapid sequential authentication attempts carrying different OTP values from one source.