What just happened? Dashlane, one of the larger and more popular password managers, has locked multiple users out of their accounts following a series of brute-force attacks. The good news is that the company says its internal systems were not compromised, but the incident highlights how these tools can be disrupted by account takeover attempts.

The trouble began on Sunday, May 31, when Dashlane users started reporting suspension emails and login problems. Some said they were suddenly unable to access their vaults, while others received messages warning that someone had tried to register a new device using their account.

"Your account has been temporarily suspended for security reasons as someone has attempted to register a new device and didn't enter the correct token after several tries," the emails stated. Affected users were told to contact customer support to restore access.

Dashlane later confirmed that an external party had targeted certain user accounts in a brute force attack. Rather than indicating a breach of Dashlane's own systems, the lockouts were triggered by the company's built-in security controls after repeated failed attempts to bypass two-factor authentication protections and add new devices.

The company initially marked the incident as resolved on May 31, saying affected accounts had been unsuspended. It later moved the status back to monitoring on June 1 and said the incident had affected email notifications and two-factor authentication systems.

Dashlane has not said how many users were targeted. However, it later disclosed that attackers were able to download encrypted vault copies belonging to fewer than 20 personal plan users, who were notified directly. Anyone who did not receive a specific message about vault risk was not impacted in that way.

Dashlane stressed that vault contents remain protected by each user's Master Password. As with other zero-knowledge password managers, Dashlane cannot read customers' stored passwords, and an encrypted vault file should be useless unless the attacker can guess or crack the Master Password.

The incident still caused plenty of confusion. Some users on Reddit wondered whether the suspension emails were phishing attempts, a concern made worse by the fact that they arrived before Dashlane had publicly explained what was happening. Others complained about slow support responses and the lack of clearer communication while they were locked out of the very tool they rely on to access their digital lives.

Dashlane advises users to review registered devices, remove anything unfamiliar, enable 2FA if it is not already active, and make sure their Master Password is strong and unique.