Attackers obtained encrypted password vaults from some Dashlane user accounts

Dashlane disclosed a brute-force campaign targeting API endpoints used for device registration which generated valid tokens and allowed an attacker to register new devices and download encrypted vaults for fewer than 20 personal-plan customers; the company found no evidence of internal system compromise, deployed additional network and product protections, and warned that stolen encrypted vaults remain susceptible to offline cracking if users have weak master passwords.