There's a lot that doesn’t add up in Dashlane’s recent security advisory, warning of a brute-force attack on user accounts. The company revealed that an external party launched the attack with the aim of bypassing two-factor authentication (2FA) to register new devices.

A UK-based user who received such a 2FA request was left puzzled and contacted Dashlane through their support bot, only to find out about the breach via Mastodon infosec. The user queried how an attacker could have triggered a 2FA request without possession of the password initially. As a paying customer, they felt entitled to know more from Dashlane itself.

Typically, 2FA codes are six digits long and change every 45 seconds, indicating that even if attackers had time, brute-forcing all possible combinations within three hours would be improbable without significant resources. Dashlane’s advisory suggests its security controls automatically locked accounts targeted by the attack due to a high volume of attempts.

The discrepancy in the logic behind this breach is troubling for users and cybersecurity experts alike. While the technical aspects are complex, it underscores the need for clear communication from companies when they face significant security issues.