Dashlane explains how attackers managed to download encrypted password vaults
Article excerpt
Dashlane disclosed how attackers breached its systems to download encrypted password vaults from a large number of users. The company explained that the attackers didn't target specific individuals but instead cast a wide net, increasing their statistical odds of finding users with weaker security practices or exploitable vulnerabilities. By downloading the encrypted vaults in bulk rather than attempting to crack individual accounts, the attackers could work offline to test credentials and attempt decryption at scale. Dashlane said it has since patched the vulnerability and notified affected users, though the company did not specify how many vaults were compromised.
Dashlane said that attackers mounted a coordinated hacking campaign against a large base of its users in an attempt to recover as many encrypted password vaults as possible. The password manager provider said fewer than 20 personal user vaults were downloaded before it shut down the operation.
In a campaign that started Sunday, the unknown threat actor abused the mechanism that allows Dashlane users to add new devices, such as computers or phones, to their accounts. By abusing Dashlane's programming interfaces for device enrollment, the attackers sent requests to large numbers of existing users’ registered email addresses. In an update published Thursday, Dashlane wrote:
The threat actor targeted the API endpoints for device registration and used a brute force attack to send a large volume of automated requests to those endpoints.
In response, Dashlane’s automated security systems operated as intended, triggering an automatic lockout of the targeted accounts to protect those users. Before the attack was fully mitigated, the threat actor was able to brute force and generate valid tokens for fewer than 20 personal plan customers, allowing them to register a new device on those accounts and download copies of users’ encrypted vaults.
The flow and strategy of the attack
When a user installs the Dashlane app on a new device and attempts to enroll it in their existing account, Dashlane first verifies the account holder's identity. This verification is completed by sending a one-time six-digit token to the user’s registered email address (or, for users who have enabled two-factor authentication, by validating a six-digit code generated by their authentication app).
Read full article
Comments