SECURITY
Dashlane Admits 20 Encrypted Vaults Stolen in Vague Security Advisory
Here's the part that should make you stop scrolling: Dashlane's own explanation of how 20 encrypted password vaults were stolen doesn't quite hold together mathematically, and the company's users found out about the breach from strangers on Mastodon before Dashlane told them directly.
The company published an advisory this week saying attackers launched a brute-force campaign against user accounts starting May 31, targeting two-factor authentication protections to register new devices. Simple enough on the surface. But the moment you look at the numbers, things get weird.
A standard time-based one-time password has one million possible combinations. The 2FA codes in question were reportedly valid for three hours — an unusually long window compared to the typical 30-to-45-second expiry most authenticator apps use. Even so, successfully brute-forcing a six-digit code within that window would require submitting an enormous volume of guesses at extraordinary speed. That kind of infrastructure exists, but it's not the kind of thing casual attackers typically deploy against a password manager.
There's also the question of rate limiting. Dashlane's advisory mentions that accounts were automatically locked due to high volumes of login attempts, which implies some kind of throttling was in place. But if rate limiting kicked in, how did attackers successfully brute-force anything at all? The company hasn't explained that gap.
One alternative reading of the whole incident: Dashlane may be using the term "brute-force" loosely, and what actually happened could be closer to a 2FA fatigue attack. That's where an attacker already has a user's password and simply hammers them with push notification approval requests, hoping the user accidentally taps approve out of frustration or confusion. It's a well-documented tactic, and it would explain the mechanics far more cleanly than traditional brute-forcing would.
What makes this worse isn't just the technical ambiguity — it's the communication failure. At least one UK-based Dashlane user received a suspicious 2FA prompt on Sunday, reached out to Dashlane's support bot for answers, got nothing useful, and then pieced together what happened by reading posts from the security community on Mastodon. For a product whose entire value proposition is protecting your most sensitive credentials, that's a trust-eroding sequence of events.
The 20 stolen vaults are described as encrypted, which is meaningful. Without the master password, the contents should be unreadable. But "should be" is doing a lot of heavy lifting when we don't know the encryption strength applied to each vault, whether any users had weak master passwords, or how long attackers might spend trying to crack them offline.
Password managers sit at the absolute center of a person's digital life. When one gets breached — even partially, even with encryption intact — users deserve a straight, technically honest account of what happened. Dashlane hasn't provided that yet, and the silence is louder than anything in the advisory.
Source: Ars Technica
POLICY
Google Ordered to Add Source Links and Let UK Publishers Opt Out
For the first time anywhere in the world, publishers now have a legally enforceable right to opt their content out of powering AI search features — and a regulator is making sure Google can't punish them for doing it. That's the headline out of the UK's Competition and Markets Authority this week, and it's a bigger deal than it might initially sound.
The CMA ordered Google to make two concrete changes to how its AI-generated search features work. First, Google must add clearer attribution and functional links when its AI Overviews pull from publisher content. Second, Google must give publishers an actual mechanism to opt out of having their material used to fuel those AI summaries — and critically, Google cannot downrank those publishers in standard search results as retaliation.
Google has nine months to fully comply, though the CMA said it expects the most significant controls to be available to publishers well before that deadline. Google will also have to file compliance reports with supporting data, which means the regulator is building in an accountability layer rather than just issuing a directive and walking away.
The timing is pointed. Google's AI Overviews have been a sore spot for publishers since their rollout. The feature serves users confident-sounding answers synthesized from across the web, sometimes reducing the incentive to click through to the original source at all. When the links that do appear don't clearly correspond to the claims being made, publishers get the worst of both worlds: their content trains the system, but their traffic doesn't recover.
Google, for its part, had pushed back on both requirements during the formal CMA proceeding earlier this year. The company argued it was already motivated to get attribution right on its own terms, and warned that loading AI Overviews with too many source links would degrade the user experience and paradoxically drive fewer clicks to publishers, not more. It's a defensible position in the abstract — but it also conveniently keeps Google in control of defining what "right" looks like.
The CMA's authority here comes from its designation of Google as having "strategic market status" in general search — essentially a finding that Google is powerful enough in this market to require proactive behavioral rules, not just reactive antitrust enforcement. Similar investigations are underway for Apple and Microsoft, so this ruling may be a preview of what's coming for other platforms.
In response to the order, Google announced it's already testing a new toggle in Search Console that lets site owners control whether their content appears in AI-generated features like AI Overviews and AI Mode. Sites that opt out won't receive traffic from those features — a trade-off Google is now required to make available rather than one it gets to offer on its own schedule.
The broader implication is straightforward: regulators in at least one major market have decided that the AI search bargain needs to be opt-in, not opt-out. That's a meaningful shift in who holds the default.
Source: Ars Technica