"Dashlane Have Been Hacked!" read the subject line in my inbox on Friday morning, referring to a popular password manager app. All but the first word was a telltale sign of a phishing scam – not to mention the link in the email to download software that would purportedly remedy the problem.
Most obviously, companies probably would not use the word "Hacked," let alone an exclamation point, to alert users of a data breach. For legal and PR reasons, their wording would be more nuanced, such as the "Ticketmaster data security incident on third-party database" email many people received last year.
But the words "Dashlane" and "Hacked" were all my brain registered at first. I don't use Dashlane's paid service. (The free version of Bitwarden's password manager works for me.) But I had recently written an article for the Wall Street Journal about a secure log-in technology called passkeys and had mentioned Dashlane as one of the apps people can use to securely store them. In other words, I was afraid of looking foolish for implicitly endorsing a product that just got hacked.
This wasn't an unfounded fear. I did something similar in a 2019 Fast Company article when I declared password manager LastPass to be "the bargain champ" in the category. Then in 2022, the company suffered a major data breach, with a series of disclosures that hammered its reputation.
So, I had some unique reasons for jumping when I saw this email, but other people might have their own reasons. They may vaguely remember that one of these password managers got hacked. Or maybe they have been spooked by any number of the other legitimate data-breach alerts they keep getting from companies whose names they may not even recognize.
(We can take some solace, or maybe schadenfreude, by realizing that even pros like cybersecurity expert Troy Hunt sometimes fall for phishing scams.)
Beyond the alarmist subject line, the Dashlane scam email did get much of the breach alert lingo right, with the kind of assurances that it's probably not so bad that we are used to seeing in other breach alerts. It even included some plausible-looking technobabble.
"While our zero-knowledge architecture continues to protect your master password and encrypted data from exposure, we have detected potential compromise of the encryption-metadata relay system that manages vault synchronization across devices."
But then comes the rub. The email provides a link to download a "new Dashlane Desktop App" to restore access to your account logins. Yikes! Also, Dashlane discontinued support for its Mac and Windows apps a few years ago.
Since I write about security a lot, my training quickly kicked in to dispel my irrational anxiety. I went to Dashlane's actual website (not whatever that link in the email would have sent me to), where there was no mention of a breach. I also did a quick Google search on "Dashlane hack," and found only unrelated press announcements. These are easy steps for anyone to take, even ones we can recommend to our less-techy family members and friends.
There are a few other simple things anyone can do. (The exact steps may vary due to your specific setup.) First, I inspected the email address, which was displayed in the message as "DashLane" (already a misspelling).
It's easy to see what the real address is. In Gmail on the web, it should be displayed right after the sender's name. In this case, "DashLane
As for the actual link in an email like this, don't go near it. You are likely to hit a phishing site or malware download.
But before you do anything, when an alarming email arrives, just breathe. Even if it is real and urgent, you can spare five minutes to calm down before taking action.
[Image credit: Sean Captain/Techlicious via Midjourney, screenshot via Sean Captain/Techlicious]
