Dashlane, a leading password manager, revealed that a hacker exploited a vulnerability in its online login system, leading to the theft of encrypted vaults from fewer than 20 users. The incident occurred on a Sunday, and although Dashlane initially reported a brute force attack on its two-factor authentication (2FA) system, details remained unclear. The hacker was able to bypass the master password requirement by targeting the device registration flow, where entering a six-digit verification code was sufficient to access the encrypted vaults. This flaw allowed the hacker to potentially guess the code, as there are one million possible combinations. Dashlane has since stated that no master passwords were compromised, meaning the vault data should remain encrypted. To mitigate future risks, the company plans to add more verification layers and has implemented network-level protections to filter out malicious traffic. Dashlane emphasizes that its encryption methods ensure vault data remains secure despite the breach.