Dashlane issues opaque advisory warning 20 encrypted vaults were stolen
Dashlane issues opaque advisory warning 20 encrypted vaults were stolen
Dashlane 发布模糊安全公告:警告 20 个加密保险库被盗
There’s a lot that doesn’t add up in a security advisory password manager Dashlane published Monday, warning that attackers managed to obtain 20 encrypted user vaults. 密码管理器 Dashlane 周一发布的一份安全公告中存在许多令人费解之处,该公告警告称攻击者成功获取了 20 个加密的用户保险库。
“Starting on Sunday, May 31, 2026, an external party launched a brute force attack against certain Dashlane user accounts,” the company said. “The goal of the attack was to brute-force two-factor authentication (2FA) protections to allow the attacker to register new devices on existing user accounts.” 该公司表示:“从 2026 年 5 月 31 日星期日开始,外部势力针对部分 Dashlane 用户账户发起了暴力破解攻击。攻击的目标是暴力破解双重身份验证(2FA)保护,从而允许攻击者在现有用户账户上注册新设备。”
Hello, Dashlane, anybody home? A Dashlane user who received such a 2FA request provided this screenshot of the notification, which arrived on Sunday. The UK-based user was concerned and contacted Dashlane through a support bot. Ultimately the user got no information about why the notification was sent. Dashlane,有人在吗?一位收到此类 2FA 请求的 Dashlane 用户提供了周日收到的通知截图。这位身处英国的用户感到担忧,并通过支持机器人联系了 Dashlane。最终,该用户没有获得关于为何发送此通知的任何信息。
“Then [I] discovered this news from Mastodon infosec and not Dashlane themselves,” the user told me. “Currently trying to find out what has happened! Because how can you trigger a 2fa request if you haven’t got the password 1st? As a paying customer I think I should have known about this from Dashlane and not Mastodon infosec folks.” “后来我从 Mastodon 的信息安全圈得知了这个消息,而不是 Dashlane 本身,”该用户告诉我。“目前正在努力查明发生了什么!因为如果你没有先拿到密码,怎么可能触发 2FA 请求呢?作为付费客户,我认为我应该从 Dashlane 那里获知此事,而不是从 Mastodon 的安全人士那里。”
Scores of social media discussions are filled with similar comments from users who also don’t understand the basic mechanics of this attack. Typically, 2FA protections take the form of a one-time password generated by an authentication app or sent by text or email. They’re typically six digits long and change every 45 or so seconds, although as the notification above indicates, the code remained valid for three hours. 社交媒体上的大量讨论充斥着类似的评论,用户们同样不理解这种攻击的基本机制。通常,2FA 保护采用由身份验证应用程序生成或通过短信/电子邮件发送的一次性密码形式。它们通常为六位数字,每 45 秒左右更换一次,尽管如上面的通知所示,该代码的有效期长达三个小时。
Brute-forcing is a trial-and-error method that rapidly submits every possible combination until landing on the right one. Under these assumptions, there would be 1 million possible passcodes. A successful breach would require a statistically significant percentage of them to be entered within the three-hour window. While the resources needed to bombard Dashlane servers with that volume of guesses in such a short period of time are possible, they’re not commonly found in usual brute-force attacks. 暴力破解是一种反复试验的方法,通过快速提交所有可能的组合,直到找到正确的那个。按照这些假设,会有 100 万种可能的密码组合。要成功入侵,需要在三小时内输入其中具有统计学意义的比例。虽然在如此短的时间内向 Dashlane 服务器发送如此大量的猜测请求所需的资源并非不可能,但这在常规暴力破解攻击中并不常见。
Dashlane doesn’t explicitly say it placed a rate limit on the number of submissions a user can make, although it appears likely based on language in the advisory saying “Because of the high volume of attempts on user accounts, Dashlane’s security controls automatically locked accounts that were targeted by the attack.” Dashlane 没有明确说明是否对用户可以提交的次数设置了速率限制,但根据公告中的措辞——“由于针对用户账户的尝试次数过多,Dashlane 的安全控制自动锁定了受攻击的账户”——这似乎是可能的。
Even assuming there was no rate limiting, it’s hard to imagine Dashlane servers not at least temporarily choking when receiving 150,000 or more submissions in an hour or so. It’s possible that Dashlane’s reference to 2FA meant something else. Sometimes, 2FA can come in the form of push notifications. Once someone enters the correct account password, the notification is sent to the registered device. For the login to succeed, the user must press a button on their device that provides the second factor. 即使假设没有速率限制,也很难想象 Dashlane 服务器在短时间内(如一小时左右)收到 15 万次或更多提交请求时不会出现暂时性的瘫痪。Dashlane 所指的 2FA 可能另有所指。有时,2FA 可以以推送通知的形式出现。一旦有人输入了正确的账户密码,通知就会发送到已注册的设备。为了使登录成功,用户必须按下设备上的按钮来提供第二个验证因素。
A tactic known as 2FA fatigue attacking exploits the friction of this process. An attacker who has already broken the first authentication factor attempts to log in repeatedly, resulting in a push notification being sent to the target each time. After dozens or even hundreds of attempts, the target finally gives in and presses the approve button. And of course, brute-force attacks on 2FA require the first authentication factor to already have been broken. Dashlane makes no mention of what this factor is or how it was broken. 一种被称为“2FA 疲劳攻击”的策略利用了这一过程中的摩擦。已经破解了第一个身份验证因素的攻击者会反复尝试登录,导致每次都会向目标发送推送通知。在几十甚至几百次尝试后,目标最终可能会妥协并按下批准按钮。当然,针对 2FA 的暴力破解攻击要求第一个身份验证因素已经被破解。Dashlane 没有提及这个因素是什么,也没有说明它是如何被破解的。
It’s still further plausible that the attack exploited features that allow Dashlane users to enroll new devices in their accounts. Such techniques typically work by tricking the user into approving a request to approve a device owned by the attacker instead. 还有一种可能是,攻击利用了允许 Dashlane 用户在账户中注册新设备的功能。此类技术通常通过诱骗用户批准请求,从而批准攻击者拥有的设备来实现。
Dashlane said it has contacted fewer than 20 account holders whose encrypted vaults were obtained. “If you’re a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account,” the company said. It also notes that without the master decryption password—which Dashlane never sees or stores—vault contents remain safe. Dashlane 表示,已联系了不到 20 位加密保险库被获取的账户持有人。“如果您是 Dashlane 用户,且没有收到 Dashlane 关于保险库风险的特定消息,则您的 Dashlane 账户没有受到影响,”该公司表示。它还指出,如果没有主解密密码(Dashlane 从未查看或存储过该密码),保险库内容仍然是安全的。
But without more information, we’re left with more questions than we should be. Dashlane has maintained silence for more than 48 hours since publishing the opaque advisory. Company representatives didn’t respond to an email seeking details. 但在没有更多信息的情况下,我们留下的疑问比应有的要多。自发布这份模糊的公告以来,Dashlane 已经保持沉默超过 48 小时。公司代表没有回复寻求详情的电子邮件。