Dashlane issued a security advisory this week stating that 20 encrypted password vaults were stolen from its cloud-based service [1].
This breach highlights the persistent risks facing centralized password managers, though the company maintains that the stolen data is currently inaccessible to attackers.
According to the company, the stolen vaults are encrypted. A Dashlane spokesperson said that without the master decryption password, which Dashlane never sees or stores, vault contents remain safe [2]. The company said that the security of the data relies on this master password, which is not held by the provider [2].
Dashlane has informed the specific users affected by the theft. The company said that users who have not received a specific notice are not impacted by this event [2].
"If you're a Dashlane user and have not received a message from Dashlane specific to vault risk, there is no impact to your Dashlane account," a Dashlane spokesperson said [2].
While the number of stolen vaults is limited to 20 [1], the incident underscores the importance of strong master passwords. The company said that the encryption prevents the stolen files from being read as plain text [2].
“20 encrypted password vaults were stolen”
This incident demonstrates the 'zero-knowledge' security model in practice. Because Dashlane does not store the master passwords used to decrypt the vaults, the theft of the encrypted files does not immediately result in a data breach of the actual passwords. However, it leaves the affected users vulnerable to brute-force attacks if their master passwords are weak.
