Dashlane issues opaque advisory warning 20 encrypted vaults were stolen
- Thread starter JournalBot
- Start date
Not really. You only need to try all of them in a single time window if you want certain success. Otherwise, each attempt with a random value has 1/1000000 odds of success. Try a million times, even over several days, and you're likely to succeed. About 63% likely if I'm not mistaken.
Bottom line is you need seriously low rate limits if this is your only remaining safety (ie. the other authentication factor is known with certainty).
Upvote
26
(33
/
-7)
This may amount to very little, but it's worth remembering that this is not far off from how the LastPass vulnerability notices started.
Upvote
51
(53
/
-2)
As a Dashlane user, I think it was this. Both my wife and I got new device requests from a device in India on Sunday.
Upvote
95
(96
/
-1)
Was the attacker trying to target a small amount of accounts with lots of attempts (why weren't they limited to a small number of attempts) or a huge amount of accounts with a small number of attempts for each individual account?
To me the latter option seems more probable, especially if almost all users got notfications (including one of the first commenters in this news item).
To me the latter option seems more probable, especially if almost all users got notfications (including one of the first commenters in this news item).
Last edited:
Upvote
34
(35
/
-1)
Upvote
3
(7
/
-4)
Got one myself too. Had a moment of panic, but remembered i changed mangers already. It was a good remind to nuke the vault though. They make it kind of a pain to nuke your vault if your are not a paying customer anymore.
Upvote
29
(30
/
-1)
yeah, it's right there in the Dashlane advisory from Monday
https://support.dashlane.com/hc/en-...-Brute-force-attack-on-Dashlane-user-accounts
Upvote
-10
(7
/
-17)
“Someone broke into the safe deposit vault overnight? Which boxes did they hit?”
“Some of them.”
“Some of them.”
Upvote
56
(57
/
-1)
LastPass had support channels be compromised. Dashlane's issues are similar but also different, honestly, the only way they are similar is in both attacks customer vaults were accessible.
Why exactly is this being downvoted? LastPass employee(s) were compromised through social engineering. This is a straight up compromise through 2FA brute force attacks.
I can't even log into LastPass half the time on my device, without being first asked, if the device is approved to access my account.
Last edited:
Upvote
5
(13
/
-8)
Not sure about Dashlane, but with Keeper password manager, some login flows you can be prompted for MFA before your password. Maybe something similar happened here? I’ve always found this unusual, but I assume it is to prevent brute force password attacks.
Upvote
14
(15
/
-1)
Since I don't keep up on any of those other sites, I'm glad that Ars is covering this story. I probably would not have heard anything about it otherwise.
I don't see the term "breaking news" anywhere on this page except in your post. Perhaps that phrase was associated with this story, and was removed? (I have seen that happen here before, and story headlines that have changed.) But if not, it seems to me that you are mad about some implied elevated importance that simply isn't there?
Upvote
81
(81
/
0)
The post has been updated but it’s still unfortunately underwhelming and incomplete as a story. What I’m mad about is sloppy journalism that comes under informed and claims that there’s no information to be had when there’s plenty… you just have to .. do the hard work of using Google first before you press publish and look silly.
Claiming no info exists and it’s a confusing situation when it isn’t is just , uh.. what’s the word… wrong?
The whole thing reads like misinformation.. not a good look.
Upvote
-17
(12
/
-29)
In my case, because you’re focusing on the wrong thing. The similarity lies in the fact that they’re being obtuse about what the exploit & impact are, which is text extremely concerning from a security product.
Upvote
28
(29
/
-1)
That's not how this works. This only works if you get lucky and the code is within whatever range of codes you manage to brute force within the expiry time of the code (3 hours). If it's less than say 500k/3h, the odds are not in your favor.
Upvote
3
(7
/
-4)
Even higher if it's typical OTP apps being used for 2FA, as they rotate codes every 30 seconds making this sort of brute force approach almost completely infeasible.
Upvote
-9
(1
/
-10)
The odds of both you and your wife constituting ten percent of the affected users are so remote as to lead one to suspect Dashland is hiding impact > twenty.
edit: and now I see three of the affected users happen to be represented in this forum.
Upvote
38
(39
/
-1)
Yes, but according to the screenshot from an affected user, the code is valid for 3h
Upvote
26
(26
/
0)
The 2FA allows access to the encrypted data.
The password is used to decrypt that data.
The password is not sent over the wire. The payload is decrypted locally only. Dashlane does not know your password. Even if they get the vault, they still need too much time in the universe with the world's most powerful supercomputer to brute force a secure password.
This is fairly typical for secure vault services. You can see exactly how this works on Dashlanes GitHub.
The password is used to decrypt that data.
The password is not sent over the wire. The payload is decrypted locally only. Dashlane does not know your password. Even if they get the vault, they still need too much time in the universe with the world's most powerful supercomputer to brute force a secure password.
This is fairly typical for secure vault services. You can see exactly how this works on Dashlanes GitHub.
Upvote
22
(22
/
0)
No, @euzeka is actually correct for guessing a code with temporary validity.
I know it seems counterintuitive, but the attacker doesn't care which code he matches, and a new code in a known domain generated so that it is randomly distributed in a fixed range, like a random 6 digit sequence for regular OTP codes, any guess has an equal chance of hitting it.
Your odds of guessing the valid code are controlled only by the size of the list of all possible codes and the total number of guesses you make.
The only condition needed for that is to not repeat the same guess within the time period for which a single code is valid. You can repeat the same sequence of guesses in each period, and your overall chance of making a matching guess keeps growing at the same rate.
For a simple example, assume you do 1 guess per cycle of the OTP code, and you always guess 123456. If the actual code is random each cycle, each cycle you have a 1 in a million chance of getting it right. If you can keep that up for a million cycles, your chance is actually pretty good. A bit over 63% according to a quick approximation.
One takeway here is that relying on an OTP code (or similar mechanism) as a second factor without being able to throttle and eventually block attempts is only a delaying mechanism.
PS: This is only about guessing temporary codes in general. I have no knowledge regarding how Dashlane in particular handles this.
Upvote
43
(43
/
0)
Wait I thought such codes should have a maximal allowed number of attempts with them? ("Enter N wrong codes and you'll need a new one generated") Also, this attempt is not rate limited to prevent brute-forcing?
Upvote
12
(12
/
0)
I think you're slightly confused, understandably from the article. I think a lot of people were affected by getting the device authorization email. I think around 20 users, per Dashlane, were compromised, presumably by clicking "Authorize " in the email.
Upvote
30
(30
/
0)
Let's see... Dashlane is a subscription based password manager and digital wallet application available on macOS, Windows, iOS and Android, founded in Paris. Dashlane uses a subscription business model option.
That means:
Password manager and digital wallet application Dashlane got at least twenty accounts hacked
Upvote
9
(9
/
0)
Am I blind? Where is the notification in that Dashlane screenshot? What is the relevance of that screenshot?
Upvote
-3
(0
/
-3)
This whole thing is confusing. I just tested Dashlane’s behavior when adding a new device. When you enter in your email, it sends a code to your email address giving the code you need to enter into the new device. Once you enter the code, then you have to enter the password.
I got two attempts over the weekend, which I ignored as I had no intention of giving the attractor any help, but you also need to be really careful not to accidentally press the button in the email as that will send a push to the new device. (I did not try to verify this with my testing, seems too risky.)
I got two attempts over the weekend, which I ignored as I had no intention of giving the attractor any help, but you also need to be really careful not to accidentally press the button in the email as that will send a push to the new device. (I did not try to verify this with my testing, seems too risky.)
Upvote
4
(4
/
0)
It's an available public domain image from Dashlane themselves.
Fully relevant? No
Something they can publicly use and not have either doctor up or use someone's personal account and try to redact? Yes
My guess is Dashlane has posted pics of the actual email (likely to make it harder for attackers to spoof), and so author used what they could from Dashlane a site.
Upvote
7
(7
/
0)
Most of the 2FA logins I use give you 3 attempts before it locks out for XX minutes. The code is valid for a period of time (never seen one longer than 10 minutes) but the attempts lockout prevents brute forcing the code.
Upvote
4
(4
/
0)
This is exactly why I don't use these companies. They've put together a giant honey pot that is pretty well guaranteed to attract infiltration attempts by organized crime. I use KeePass to create an encrypted database, tore it on Google Drive where it is encrypted again, and access it from there with all my devices. I think I'll probably switch to a sync program and cut Google out of the picture as well.
Upvote
0
(4
/
-4)
Upvote
20
(20
/
0)
Are inactive Dashlane accounts (that is, past users who no longer use them), definitely protected? I'm thinking not. . . because I'm thinking that most online services allow "inactive" user accounts to still login so they can re-activate their subscription.
So an attacker could brute force a dormant account, provide a stolen credit card to re-active the sub, and then access the vault?
So an attacker could brute force a dormant account, provide a stolen credit card to re-active the sub, and then access the vault?
Upvote
0
(0
/
0)
This is why you don't use codes for 2FA on these types of systems. Hardware keys only to form your root of trust.
Upvote
-3
(0
/
-3)
I wonder if there’s a huge gain in doing it either way. Basically, if something can be brute-forced, someone will try getting in. I guess the mentality is passwords are the most common weak link so better to hide them behind 2FA vs the other way around.
Upvote
2
(2
/
0)
People have been conditioned to trade security and ownership for relative convenience of cloud-based services.
The problem here is that they are now the biggest target, not a single person.
But in reality, we’ve traded “friction” use cases like manually copying your core password db weekly from your home computer (or better yet, Syncthinging the process) to your phone, to the mess of dealing with account creations, password complexities for those, Twilio verification codes (and more data given to the cloud provides), mass breaches and ultimately more time spent managing this stuff. And also paying for it. Stuff that was supposed to make our lives easier and things faster.
In reality, it has not.
The problem here is that they are now the biggest target, not a single person.
But in reality, we’ve traded “friction” use cases like manually copying your core password db weekly from your home computer (or better yet, Syncthinging the process) to your phone, to the mess of dealing with account creations, password complexities for those, Twilio verification codes (and more data given to the cloud provides), mass breaches and ultimately more time spent managing this stuff. And also paying for it. Stuff that was supposed to make our lives easier and things faster.
In reality, it has not.
Upvote
-3
(0
/
-3)
Dark Pumpkin
Ars Scholae Palatinae
If I'm not mistaken, the affected people refers to people who's vaults were stolen. Getting a 2FA notification doesn't necessarily mean that person's vault was successfully stolen. The attackers could presumably cause thousands of 2FA notifications, but only successfully access 20 vaults.
I don't trust that 20 is a fully truthful number, but I do think the number of 2FA notifications would far outnumber how many vaults were successfully stolen.
Last edited:
Upvote
1
(1
/
0)
I miss good old days where 1FA was referred to as "what you know" and 2FA as "what you are/have" (SecureID device, biometrics, etc). It was designed/done for a very, very good reason.
Now they call an email with a 6 digit code, valid for 3 hours - "2FA".
Ridiculous.
Now they call an email with a 6 digit code, valid for 3 hours - "2FA".
Ridiculous.
Upvote
4
(4
/
0)