Anything that can be hacked will be hacked. When millions of accounts store data on a single service it creates a centralized attack point and the data becomes a target. The primary protection method beyond the password is two-factor authentication (2FA). Over the past fifteen years MFA has been exploited with many varied attacks including SIM swapping, real-time phishing proxies, MFA fatigue bombing, and session cookie theft among others. On May 31, 2026, an attacker brute-forced Dashlane’s six-digit 2FA code, downloaded encrypted vaults, and opened them because they already had the master passwords.
Dashlane’s encryption held, their infrastructure was not breached, and they detected the attack and shut it down. But when millions of vaults sit behind a single server and the only lock on the door is a six-digit number that changes every thirty seconds, it was only a matter of time before someone built a bot that guesses faster.
Here is how it worked, what it means for 2FA, and what you can do about it.
The Attack Chain
The attackers obtained Dashlane users’ email addresses and master passwords from breaches of other services. These users had reused their Dashlane master password, the one key that protects their entire vault, on another site that was compromised. The attackers did not hack Dashlane to get these passwords. They already had them.
With valid email and password in hand, the attackers hit Dashlane’s device registration endpoint. The only remaining barrier was the six-digit TOTP code. Six digits means one million possible combinations. A new code is generated every thirty seconds. Automated software submitted guesses at scale until the correct code was found before it expired.
Once the TOTP code was accepted, the attacker’s device was registered as authorized on the user’s account. Dashlane’s server delivered the encrypted vault for download, exactly as it would for any newly authorized device.
The vault is encrypted with the master password. The attacker already has the master password from the credential stuffing step. The encryption is bypassed. The vault is open.
Dashlane reported that fewer than twenty accounts were affected, that no internal systems were compromised, and that the attack was detected and blocked. That is all accurate. The system worked as designed. The server authenticated a request, verified a 2FA code, and served the vault. The real question is whether a six-digit code checked by a server is strong enough to be the last line of defense between an attacker and an encrypted vault.
How Multifactor Authentication Works
Every form of two-factor authentication exists for the same reason: to protect access to a centralized server. A password alone is not enough because passwords get leaked, reused, and stolen. So the industry added a second factor, something beyond the password that the server checks before granting access. The strength of that second factor varies widely, but the purpose is always the same: convince the server you are who you say you are.
Not all second factors are created equal. Here are the most common types in use today, from weakest to strongest:
A numeric code sent via text message. Vulnerable to SIM swapping, SS7 interception, and social engineering at the carrier level. Still better than no second factor, but widely considered the weakest option. NIST has recommended against SMS-based authentication for sensitive accounts since 2017.
A six-digit code generated by an authenticator app like Google Authenticator, Authy, or Microsoft Authenticator. The code rotates every 30 seconds. Stronger than SMS because it cannot be intercepted in transit, but it is still a six-digit number with one million possible values, and the server verifies it. This is what was brute-forced in the Dashlane attack. The defense against brute force is rate limiting on the server side.
The service sends a prompt to your phone asking you to approve or deny a login attempt. Stronger than TOTP because there is no code to guess, but vulnerable to “MFA fatigue” attacks where the attacker floods the user with approval requests until they tap “approve” to make it stop. This is how Uber was breached in September 2022.
Physical devices like YubiKey or Google Titan that use cryptographic challenge-response. There is no code to guess or intercept. The key must be physically present and the authentication is bound to the specific domain, making it phishing-resistant. This is the strongest widely available second factor, but adoption is extremely low. Most people do not carry a dedicated security key, and if you lose it, you can lose access to your accounts.
The Dashlane attack specifically exploited the TOTP method. TOTP is the most commonly used authenticator-based 2FA and it is a significant improvement over password-only authentication. But it has a known limitation: the code is short enough to brute force if the server does not enforce strict rate limiting.
Why TOTP Was Vulnerable Here
A six-digit code has one million possible values. A new code is valid for thirty seconds, though most implementations accept the previous and next code as well, giving an effective window of about ninety seconds. If an attacker can submit enough guesses within that window without being blocked, they will eventually hit the right code.
The defense is entirely server-side. The server must detect rapid repeated attempts and lock the account or throttle requests. If the rate limiting is too lenient, or if the attacker distributes requests across many IP addresses, or if there is a gap between detection and enforcement, the window is open.
TOTP was designed as a significant improvement over passwords alone, and it accomplishes that. The problem here is context: when TOTP is the last barrier between an attacker with valid credentials and a downloadable encrypted vault, the stakes riding on those six digits are extraordinarily high. A hardware security key would have stopped this specific attack because there is nothing to guess, but very few people use one. A YubiKey costs $25 to $70, you need two in case you lose one, and you have to carry it with you everywhere. Different devices need different connectors, USB-A, USB-C, NFC, so you might need multiple keys just to cover your own hardware. Most services still do not support them. For the average person who just wants to log in and get on with their day, a hardware key is not a realistic option.
2FA Best Practices
Two-factor authentication remains essential. Here is how to get the most out of it:
Hardware security keys are the strongest option, but they are impractical for most people. If you lose the key, you can lose access. For most people, TOTP is the realistic choice and it is solid. SMS is last resort, but even SMS is better than no second factor at all.
The Dashlane attack only worked because users had reused their master password on other services that were breached. Your password manager master password should be unique, strong, and used nowhere else. This is the single most important thing you can do.
Generate a strong random password for every account in your vault. If a service notifies you of a breach, generate a new one for that account and move on. If you do this, you do not need paid breach monitoring services that scan your vault against leaked credential databases. Those services work by sending partial hashes of your passwords to external servers, which leaks metadata about your credentials to check if they were leaked. If you never reuse a password, there is nothing to check.
Even TOTP-based 2FA dramatically reduces risk. Most attacks are opportunistic and automated. Credential stuffing bots move on when they encounter any second factor. The Dashlane attack required a targeted brute-force effort, which is far more expensive and far less common. Do not disable 2FA because of this incident. Enable it wherever you have not already.
The Centralized Attack Surface
With best practices covered, there is a deeper architectural question worth understanding. Every form of 2FA, from SMS to hardware keys, exists to protect access to a centralized server. The Dashlane attack showed what becomes possible when millions of encrypted vaults are accessible through a single API endpoint and the entire security model depends on the server correctly gatekeeping every request.
The server verifies credentials. The server checks the 2FA code. The server delivers the vault. Every layer of security in the system (the password, the second factor, the rate limiting, the encryption parameters) is checked by the server or controlled by the server. When any part of that chain is insufficient, the vault is exposed. That could be the TOTP rate limiting that this brute-force attack exploited, or the encryption parameters that ETH Zurich researchers demonstrated could be manipulated in a separate set of 25 attacks.
This is what researchers mean by a centralized attack surface. The attacker does not need to compromise nineteen million devices. They need to convince one server to serve one vault. The economics favor the attacker: one target, potentially millions of vaults, and every authentication bypass technique from credential stuffing to TOTP brute force to future methods not yet discovered can be aimed at that single point. 2FA raises the cost of that attack. It does not change the architecture.
Eliminate the Server
Stronger rate limiting, longer codes, push notifications, hardware keys. These all raise the cost of attacking a centralized server. But they do not eliminate the centralized server. The server still holds the vault. The server still decides who gets it. Every improvement is another layer of defense around the same single point of failure, and anything that can be hacked will be hacked.
There is another option: remove the server from the equation entirely.
A local-first password manager stores your encrypted vault on your device. There is no server that holds it. There is no API that serves it. There is no device registration endpoint to brute force. There is no 2FA to bypass because there is no server access to protect.
Leaked master password + server authentication = vault download. 2FA exists to protect this server access, but once it is bypassed, whether by brute force, SIM swap, MFA fatigue, or a method not yet invented, the server delivers the vault. The attacker needs your password and a way past the second factor. Nothing else.
Leaked master password + no server = nothing to download. There is no remote access to the vault. The attacker would need the password AND physical or remote access to the device where the vault is stored, a completely separate security boundary with its own credentials, its own protections, and no connection to the password manager’s authentication.
In a local-first model, two-factor security is built into the architecture itself. Factor one: something you know, the master password. Factor two: something you have, the encrypted vault file, on your device or in a backup location you control. There is no code to brute force because there is no server checking codes. No API to overwhelm because there is no API. The “second factor” is physical possession of the encrypted file. No bot is guessing its way past that.
The Dashlane security advisory was published on June 1, 2026. The investigation was completed on June 4, 2026. The full advisory is available at support.dashlane.com. The ETH Zurich paper, “Zero Knowledge (About) Encryption,” is available at eprint.iacr.org/2026/058.
For a detailed breakdown of the ETH Zurich study and the 25 attacks it demonstrated against cloud password managers, see our article: Why Zero-Knowledge Encryption Is Not Enough.