Security News Dashlane password manager users locked out by brute force attacks

Gandalf_The_Grey

Gandalf_The_Grey

Level 85
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Forum Veteran
Apr 24, 2016
7,806
6
82,950
8,389
55
The Netherlands
Content source
https://www.bleepingcomputer.com/news/security/dashlane-password-manager-users-locked-out-by-brute-force-attacks/
Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.

In a statement to BleepingComputer, the password management service confirmed that the suspensions were part of an automated security response designed to protect against account hijacking.

“We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended,” stated Jordan Fylolenko, Dashlane Senior Director of Corporate Communications.

“Our team is actively engaged in this issue and taking measures to further protect customers. There is no evidence of compromise of Dashlane’s systems.”

Worried Dashlane users reported earlier today on Reddit that they received notices of suspicious access requests from foreign countries. The emails contained verification codes for legitimate account owners to register new devices.
Click to expand...
www.bleepingcomputer.com

Dashlane password manager users locked out by brute force attacks

Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Wow
  • Like
  • Sad
Reactions: Brownie2019, Sorrento, silversurfer and 9 others
Coming from Bitwarden, I think Dashlane's approach to verifying a new device (not clear whether it's for all unknown devices/clients or only for unknown ones from unfamiliar geolocations) is interesting and different from Bitwarden. Dashlane sends an OTP before allowing the user to enter the account password, the OTP lives for 3 hours, and Dashlane "temporarily" suspends the account with OTP-bruteforcing attempts. Bitwarden makes the user enter the password first, sends an OTP for all unknown clients (likely based on a cookie/token the client keeps), the OTP lasts a couple minutes, and Bitwarden rate-limits OTP requests/entries, possibly without suspending the account.

Credential stuffing against a Dashlane account means brute-forcing the OTP, which lets Dashlane detect the attempts quickly without the accounts with leaked passwords being compromised, but an attacker may be able to arbitrarily suspend any account's login (from unknown locations?), and results in users taking unnecessary precautionary actions. Any user can get these worrying emails even if their account isn't in danger (because their password is unique and not easily guessed).

Credential stuffing against a Bitwarden account means the attacker can enter a compromised password and then must brute-force the OTP. Without effective rate limiting on Bitwarden's side, the account could eventually be compromised. Meanwhile, users with logged-in clients (possibly most users) won't be affected by account suspension or a DoS attack; users that need to log in from unknown locations may still be affected. Getting an email from Bitwarden can mean it's time to change your leaked password.

Emergency sheets and regular backups are two of the most recommended things for users in the Bitwarden subreddit.
 
Last edited:
  • Like
Reactions: Brownie2019, Sorrento, Khushal and 7 others
On X → " Dashlane says a brute-force attack tried to guess 2FA codes and add attacker devices. "

Dashlane.jpg
 
  • Like
Reactions: lokamoka820, Gandalf_The_Grey, Parkinsond and 1 other person

You may also like...