Trending
John Fetterman is trending now Karen Read is trending now Florida Panthers is trending now Georgia baseball is trending now Malawi is trending now Tony Evans is trending now Rebecca Grossman is trending now iOS 18 beta is trending now Maren Morris is trending now Nvidia stock price is trending now iOS 18 beta is trending now Maren Morris is trending now John Fetterman is trending now Karen Read is trending now Florida Panthers is trending now Georgia baseball is trending now Malawi is trending now Tony Evans is trending now Rebecca Grossman is trending now iOS 18 beta is trending now Maren Morris is trending now Nvidia stock price is trending now iOS 18 beta is trending now Maren Morris is trending now
Technology

Dashlane explains how attackers managed to download encrypted password vaults

By targeting large numbers of users, attackers increased their chances of success.

728×90 ad placeholder

Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible. The password manager provider said fewer than 20 personal user vaults were downloaded before it shut down the operation.

In a campaign that started Sunday, the unknown threat actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane's programming interfaces for device enrollment, the attackers sent requests to large numbers of existing users’ registered email addresses. In an update published Thursday, Dashlane wrote:

The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.

In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.

The flow and strategy of the attack

When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane first verifies the account holder's identity. This verification is completed by sending a one-time six-digit token to the user’s registered email address (or, for users who have enabled two-factor authentication, by validating a six-digit code generated by their authentication app).

Read full article

Comments

View original source →

Related

In-feed ad placeholder

More from Ars Technica