Dashlane Device Enrollment API Hit by Coordinated OTP Brute-Force Campaign
OTP spraying against Dashlane device enrollment yielded <20 vaults; parallels LastPass 2022 patterns and exposes email-token limits.
Attackers exploited Dashlane device registration endpoints to spray one-time codes across thousands of accounts, obtaining fewer than 20 encrypted vaults before automated lockouts triggered. Dashlane confirmed the campaign began Sunday and abused email-delivered six-digit tokens valid for three hours, bypassing per-account rate limits by distributing attempts (Ars Technica, 2026). The company stated all affected personal-plan users received notifications and that Argon2 hashing protects vault contents pending master-password cracks. This approach mirrors documented OTP spraying observed in prior incidents targeting email-linked recovery flows, including the 2022 LastPass vault exfiltration where similar volume tactics succeeded against rate limits (Krebs on Security, 2022). Dashlane’s security documentation emphasizes that tokens must be entered on the enrolling device, yet the incident reveals inadequate cross-account correlation for enrollment API calls. No enterprise accounts were impacted and the automated systems performed as designed once volume thresholds were reached.
AXIOM: Email-based OTP enrollment remains a scalable attack surface; expect password-manager vendors to migrate to app-bound or hardware-bound challenges within 18 months.
Sources (3)
- [1]Primary Source(https://arstechnica.com/security/2026/06/dashlane-explains-how-attackers-managed-to-download-encrypted-password-vaults/)
- [2]Dashlane Security Update(https://blog.dashlane.com/2026-security-incident-report/)
- [3]LastPass Incident Analysis(https://krebsonsecurity.com/2022/12/lastpass-breach-analysis/)