Security News Dashlane password manager users locked out by brute force attacks

[Gandalf_The_Grey]

Content source

https://www.bleepingcomputer.com/news/security/dashlane-password-manager-users-locked-out-by-brute-force-attacks/

Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.

In a statement to BleepingComputer, the password management service confirmed that the suspensions were part of an automated security response designed to protect against account hijacking.

“We can confirm that certain Dashlane user accounts were targeted in a brute force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built-in security controls. The affected accounts have now been unsuspended,” stated Jordan Fylolenko, Dashlane Senior Director of Corporate Communications.

“Our team is actively engaged in this issue and taking measures to further protect customers. There is no evidence of compromise of Dashlane’s systems.”

Worried Dashlane users reported earlier today on Reddit that they received notices of suspicious access requests from foreign countries. The emails contained verification codes for legitimate account owners to register new devices.

Dashlane password manager users locked out by brute force attacks

Multiple Dashlane users have been locked out of their accounts following brute-force attacks that attempted logins from distant locations and unknown devices.

www.bleepingcomputer.com

 

[lokamoka820]

I backed up all my password vaults, two-factor authentication seeds, recovery codes, etc., yesterday. I think we need to take backups very seriously with all these types of attacks.

 

[Wrecker4923]

Coming from Bitwarden, I think Dashlane's approach to verifying a new device (not clear whether it's for all unknown devices/clients or only for unknown ones from unfamiliar geolocations) is interesting and different from Bitwarden. Dashlane sends an OTP before allowing the user to enter the account password, the OTP lives for 3 hours, and Dashlane "temporarily" suspends the account with OTP-bruteforcing attempts. Bitwarden makes the user enter the password first, sends an OTP for all unknown clients (likely based on a cookie/token the client keeps), the OTP lasts a couple minutes, and Bitwarden rate-limits OTP requests/entries, possibly without suspending the account.

Credential stuffing against a Dashlane account means brute-forcing the OTP, which lets Dashlane detect the attempts quickly without the accounts with leaked passwords being compromised, but an attacker may be able to arbitrarily suspend any account's login (from unknown locations?), and results in users taking unnecessary precautionary actions. Any user can get these worrying emails even if their account isn't in danger (because their password is unique and not easily guessed).

Credential stuffing against a Bitwarden account means the attacker can enter a compromised password and then must brute-force the OTP. Without effective rate limiting on Bitwarden's side, the account could eventually be compromised. Meanwhile, users with logged-in clients (possibly most users) won't be affected by account suspension or a DoS attack; users that need to log in from unknown locations may still be affected. Getting an email from Bitwarden can mean it's time to change your leaked password.

Emergency sheets and regular backups are two of the most recommended things for users in the Bitwarden subreddit.

 

[I Walk MY Way]

And where did they get the emails from?
would be my question

 

[Wrecker4923]

And where did they get the emails from?

I think typically, from other credential breaches. It's usually recommended to use a unique +plus email address for the password account. Less recommended but still in use are 1) a unique email account and 2) a reliable alias.

 

[Berny]

Here are some recommendations for protecting you against these issues :

1) 2FA
2) 2FA
3) 2FA

 

[superleeds27]

Here are some recommendations for protecting you against these issues :

1) 2FA
2) 2FA
3) 2FA

They do have some form of 2FA on by default, like @Wrecker4923 says above, you need the code from the email before you can enter the password.

 

[Berny]

On X → " Dashlane says a brute-force attack tried to guess 2FA codes and add attacker devices. "

 

[Wrecker4923]

Dashlane says a brute-force attack tried to guess 2FA codes and add attacker devices...

20...encrypted vault copies downloaded.

OTP 2FA can be brute-forced, as shown. Password is still the primary defense. OTP 2FA is like, I that the vendor implements the rate-limiting/account suspension right.

 

[Berny]

OTP 2FA can be brute-forced, as shown.

I agree with you a 100% protection doesn't exist , but a 2FA OTP from an authenticator app lives only for 30 seconds

 

[Wrecker4923]

For attacks using credentials (not session tokens), FIDO2 2FA protection is theoretically much better. I'm not against TOTP 2FA; it's just that once FIDO2 becomes available for my accounts, I haven't had the heart to drop TOTP—maybe out of fear of being locked out or being inconvenienced.

My mantra for eventually dropping TOTP: TOTP can be phished, and it can be brute‑forced.

 

[Brahman]

Dashlane Confirms Hackers Stole Password Vaults, Pentagon Location Tracking, and Hackers Trick Meta's AI​

 

[Wrecker4923]

Dashlane confirms hackers stole around 20 encrypted password vaults, and it's being quiet about how.

Because Dashlane considers a device "authenticated" with the right OTP without the user entering the master password, the client can download an encrypted vault. It is likely the rate-limiting on the OTP isn't effective enough to prevent downloading 20 encrypted vaults. These security companies usually release the minimum amount of information they can get away with; I am surprised they even mentioned the 20 vaults.

Spoiler: Dashlane Authentication, from the link above

When a user attempts to connect to a Dashlane account on a device that has not yet been authorized for that account, Dashlane generates a One-Time Password (OTP, or token) that is sent to the user to the email address used to create the Dashlane account initially.

Figure: Authentication when adding a new device

Upon validation of the OTP by the server after the user enters it into the application, the device is provided with a User Device Key to authenticate to the server (cf 4.1.1 Registration).

Once the device is authenticated to our server, the device can download the user’s vault in its encrypted form (cf 3.2 Encryption Model: Secrets and Protections). Then, the user can decrypt their vault by providing their Master Password.

 

[Wrecker4923]

ArsTechnica explains how the downloads succeeded:

Dashlane explains how attackers managed to download encrypted password vaults

By targeting large numbers of users, attackers increased their chances of success.

arstechnica.com

Dashlane updated:

https://support.dashlane.com/hc/en-us/articles/36038764990866-Security-advisory-Brute-force-attack-on-Dashlane-user-accounts#update-jun-4

 

[Marko :)]

I think the most effective measure for account protection is limiting login by country. Microsoft and Google both offer this kind protection, but only for business customers and not for personal accounts which is a shame.

 

[Parkinsond]

Microsoft and Google both offer this kind protection, but only for business customers and not for personal accounts

Zohor free email account offer geofencing too.

 

[TairikuOkami]

It is not really 2FA, if you only need 1FA, like a passkey, it assumes that the request came from a valid device, because it has been verified before, and it must be you.

but a 2FA OTP from an authenticator app lives only for 30 seconds

Yes, but it repeats in regular intervals, thus the system time must match, and it can be guessed. It is basically just a simplified code sheet, like at 5:27 select code from E27.