Dashlane Users Temporarily Locked Out After Brute‑Force Attack Spree

Featured image

On June 1, 2026, Dashlane confirmed that a wave of brute‑force attempts triggered its built‑in account‑lockout mechanisms, temporarily suspending a number of user accounts. The attacks originated from distant locations and unknown devices, prompting the password‑manager service to automatically protect its users by halting login attempts.

---

What happened?

Dashlane’s security team detected a surge of failed login attempts that crossed the service’s threshold for automated protection. Within minutes, the platform’s rate‑limiting and lockout controls kicked in, suspending the affected accounts to stop any further credential guessing.

Jordan Fylolenko, Senior Director of Corporate Communications at Dashlane, told BleepingComputer:

"We can confirm that certain Dashlane user accounts were targeted in a brute‑force attack by an external party, resulting in the suspension of those accounts as part of Dashlane’s built‑in security controls. The affected accounts have now been unsuspended."

The company added that there was no evidence of a breach of Dashlane’s internal systems and that the incident was resolved by 22:30 UTC on May 31, with a follow‑up status update posted on June 1 at 07:32 UTC.

---

Why users saw suspicious emails

Reddit users reported receiving verification‑code emails that appeared to come from Dashlane, asking them to confirm new device registrations. The messages were legitimate—generated by Dashlane’s own security workflow—but many recipients mistook them for phishing attempts because they had not initiated any device changes.

“I got a code to register a new device in a country I’ve never been to. I thought it was a scam, but the support reply said it was the lockout process.” – Reddit user u/securepass123

These emails are part of the service’s two‑factor authentication (2FA) flow. When an unknown device or IP address tries to log in, Dashlane sends a one‑time code to the registered email address. If the user does not approve the request, the login is denied and the account may be temporarily locked.

---

How brute‑force attacks work against password managers

Password managers are high‑value targets because a single compromised master password can expose dozens of other credentials. Attackers typically employ one of two strategies:

1. Credential stuffing – using leaked username/password pairs from other breaches and trying them en masse.
2. Pure brute force – automated scripts that iterate through common password lists or dictionary words until the correct master password is found.

Dashlane’s defenses include:

• Rate limiting – caps the number of login attempts per IP address within a given time window.
• CAPTCHA challenges – forces a human to solve a test after a threshold of failures.
• Account lockout – temporarily disables the account after repeated failed attempts, as seen in this incident.

These controls are standard across secure platforms, but they also create a user‑experience trade‑off: legitimate users may be locked out if they travel or use a VPN that changes their apparent location.

---

Expert take: What should users do now?

"When a password manager locks you out, it’s a sign the service is doing its job," says Dr. Maya Patel, senior security analyst at the Identity & Access Management Lab at Carnegie Mellon University. "The key is to verify the lockout is genuine and then follow the recovery flow rather than trying to force a login."

Practical steps for Dashlane users:

1. Check the official status page – Dashlane maintains a real‑time feed at https://status.dashlane.com. Look for any ongoing incidents before contacting support.
2. Use the recovery email – If you receive a lockout notice, click the “Forgot master password?” link and follow the instructions. The process will send a recovery code to your registered email address.
3. Enable hardware‑based 2FA – Adding a U2F security key (e.g., YubiKey) reduces reliance on email codes and makes unauthorized device attempts far harder.
4. Review recent activity – After regaining access, inspect the device list in the Dashlane dashboard. Remove any unknown entries and change your master password.
5. Consider a password‑manager‑specific VPN – Some services recommend using a trusted VPN endpoint for travel to avoid triggering geographic lockouts.

---

What Dashlane could improve

While the rapid unsuspension of accounts demonstrates a responsive security team, several users still report login problems and delayed support responses. Security consultants suggest the following enhancements:

• Transparent lockout notifications – Include a clear reference number and a direct link to the recovery flow in the lockout email.
• Self‑service unlock – Allow users to verify identity via a secondary factor (e.g., a registered phone number) to lift the lock without waiting for support.
• Rate‑limit exceptions for known travelers – Offer an opt‑in program where users can pre‑authorize travel locations, reducing accidental lockouts.

---

Bottom line

Dashlane’s automated defenses successfully prevented a brute‑force campaign from compromising user vaults, but the side effect was a wave of temporary account suspensions. Users should follow the official recovery steps, enable additional 2FA methods, and keep an eye on the status page for any future incidents.

For a deeper dive into protecting your master password against brute‑force attacks, see the NIST Digital Identity Guidelines and the OWASP Authentication Cheat Sheet.

---

Related coverage:

• UK fines LastPass over 2022 data breach impacting 1.6 million users
• DORA and operational resilience: Credential management as a financial‑risk control