Ọmọ Oòduà Naija Gist | News From Nigeria | Entertainment gist Nigeria|Networking|News.. Visit for Nigeria breaking news , Nigerian Movies , Naija music , Jobs In Nigeria , Naija News , Nollywood, Gist and more
In order to register new devices on fewer than 20 accounts and obtain their encrypted password vaults, attackers brute-forced Dashlane’s 2FA method. Users who use weak passwords run the danger of offline cracking, but the vaults are still secured with master passwords that Dashlane never keeps.
Dashlane revealed on Sunday that an external attacker successfully circumvented 2FA safeguards on less than 20 personal plan user accounts and downloaded copies of their encrypted password vaults by launching a brute-force attack against its two-factor authentication system.
When Dashlane’s security mechanisms saw the high number of authentication attempts, the attack, which started on May 31, caused automatic account lockouts for a larger group of targeted users.
The process was simple. Attackers attempted to predict the proper sequence before each short-lived code expired by using automated software to quickly submit every possible number combination for time-based 2FA codes. When this worked, they were able to create a new device on the targeted account, which provided them with the necessary access to download the user’s encrypted vault from Dashlane’s servers.
What was stolen and its implications
The user’s master password, which Dashlane claims is never transmitted to its servers in plaintext, is used to encrypt the encrypted vaults, which hold the user’s stored passwords, secure notes, and other credentials. Because of the zero-knowledge architecture, an attacker cannot access the contents of the vault without the master password, even if they have a duplicate of it. Vault encryption, according to Dashlane, “ensures that any attempts to gain access to the vault are statistically unlikely to succeed, even over a long period of time.”
This guarantee is only valid if the impacted users selected secure, one-of-a-kind master passwords. Dictionary attacks or brute-force techniques might be used to break the vaults offline if any of the less than 20 people who downloaded them used weak or repetitive master passwords. Users who reuse credentials across services are especially vulnerable to credential stuffing attacks, which exploit passwords that have been compromised in previous breaches.
The flaw in 2FA
The attack took advantage of a basic flaw in time-based one-time password (TOTP) 2FA codes, which are usually six-digit codes with only one million possible combinations every 30-second window. The likelihood of guessing a correct code within its lifetime becomes non-trivial over many attempts if the rate limitation is not sufficiently aggressive. Automated systems are capable of submitting thousands of attempts per second.
The attempt was identified by Dashlane’s security procedures, which froze the impacted accounts. This averted a wider compromise, although it created inconvenience for legitimate users who were locked out. An ongoing problem for authentication systems is the conflict between security lockouts and user experience: while aggressive lockouts prevent attackers, they also cause denial-of-service implications for actual users.
According to Dashlane, its examination turned up no proof that its own systems had been infiltrated. Instead of taking advantage of a flaw in Dashlane’s infrastructure, the assault targeted user accounts externally.
The echo of LastPass
The event will unavoidably be compared to the LastPass hack in 2022, when hackers stole millions of users’ encrypted password vaults. In that instance, researchers subsequently verified that certain vaults with weak master passwords were broken, resulting in cryptocurrency thefts and other negative consequences in the real world. Although law enforcement has been focusing more on cybercriminal infrastructure, server-side security cannot stop offline vault cracking.
Although the scale is different—less than 20 vaults versus millions—the idea remains the same: the security of an encrypted vault depends on the master password used to secure it.
Affected users are advised by Dashlane to examine registered devices, eliminate any unidentified ones, activate 2FA if it isn’t already, and—above all—use a strong, one-of-a-kind master password that is lengthy and challenging to figure out.
Dashlane swiftly published its advice and provided explicit repair measures in accordance with appropriate security communication norms. However, the issue poses a more general concern for the password manager industry: what more authentication layers are required to safeguard the most sensitive consumer security product that the majority of people use if 2FA can be brute-forced to register new devices?
