Dashlane's May 2026 advisory reported 20 encrypted vaults obtained via brute-force of 2FA on select accounts, yet left unexplained how attackers bypassed initial password checks to trigger device registration prompts. "Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts," the company stated in its notice. The UK user who received a three-hour-valid 2FA code learned of the incident via Mastodon rather than direct outreach, highlighting a communication failure also noted in prior incidents such as the 2022 LastPass breach where delayed disclosures affected millions (Krebs on Security, Dec 2022).

Rate-limiting assumptions in the advisory contradict the scale required to test 1 million possible codes in under three hours, a volume that would trigger server-side blocks far earlier according to standard authentication logging practices documented in NIST SP 800-63B guidelines. Social media threads reveal users questioning the sequence of password-then-2FA compromise, a pattern overlooked in the original Ars Technica report but consistent with credential-stuffing campaigns tracked by Have I Been Pwned in 2023-2025 datasets.

The advisory's opacity on whether vaults remained encrypted post-exfiltration and absence of post-incident audit details mirrors deficiencies seen in the 2023 Okta support-system intrusion, where partial logs left customers without clear risk assessments (Okta Security Incident Report, Oct 2023). No evidence of actual decryption was provided, leaving the 20-vault figure unverified beyond company assertion.