Dashlane security breaches are fake?

Dashlane is a pretty neat password manager, but I question the reliability of the security breaches it reports and wonder if its actually just randomly generating them to make you think Dashlane is doing a good job of protecting you.

What makes me think this?

Well I first got a security breach for a website thats very specific to our company, unlikely to be the target of an attack, and we administer it, and are confident its not been breached (we would be in a panic if it was), so what makes Dashlane think its been breached?

Dashlane say they use a service called Pwndlist to get information about security breaches.  Pwndlist allows you to search for your email in their database.  None of my emails appear in their database.

So if you ask me, these security breach alerts look like they are fake and popup randomly from time to time as an incentive for me to want to subscribe to the Dashlane service, after all, its keeping me safe right?

Update: so having had a conversation with a Dashlane dev (see comments) who has explained what happens, and why my email isn’t necessarily found in the second case, and having also investigated the website concerned in the company specific case for me, finding its not flagged, and coming to the conclusion that it may be a bug, I won’t pass judgement just yet, instead I will log any other questionable security alerts as bugs and maybe help improve the product.

I am liking Dashlane so far (aside from the questionable security breach alert, and a couple of other little issues) coming from a long time lastpass user, the user interface is refreshing.  Will I subscribe to get password syncing?  Probably not, I would probably make do with having to manually sync (ie re-entering commonly used website passwords on different devices, which equates to two PCs).

Update 2013-09-05:-

Good news, Dashlane have found the issue re false reporting of websites as compromised, and it turns out it was a wording issue, and it was really trying to tell me that I was using the same password on this website as I was using on a website that has been compromised.

Bad news, I have found a serious memory leak in the Chrome Plug-In Host on OSX whereby it is consuming as much as 80MB per day, after 5 days it was using over 500MB (it starts at just 50MB.  Now some increase in memory footprint is to be expected, but this is continuous, you can watch it tick up memory in activity monitor.   Dashlane have yet to acknowledge this is an issue.

Update 2014-07-30:-

Dashlane have acknowledged the memory issue.

Advertisements

About austinfrance

Technical Developer @ RedSky IT / Explorer Software
This entry was posted in Uncategorized and tagged , , , , , . Bookmark the permalink.

10 Responses to Dashlane security breaches are fake?

  1. damien says:

    Hey !
    I’m a Dashlane dev, I’ve developed this feature.
    We do use pwnedlist, and they do provide a service of their own where you can check if you email address is in one of the credential dumps they’ve gathered.
    But we only check if you have an account on one or more breached website. And we know if a website has been breached if Pwnedlist tells us so :).

    We chose to do it like this because if a hacker somehow accessed a website’s user database, there’s a high chance that either he dumped it all (even if he did not publish it, or published only a part of it), or that he backdoored the server (there’s no way to really know anyway..).

    Better safe than sorry :D.

    • austinfrance says:

      Is what your saying that because someone else’s account, linked to a website, appears on pwndlist, you flag that website as security breached? If a hacker posts a subset of account data that results in pwndlist flagging a site, then it is reasonable to flag the entire site.

      What I don’t understand is how an obscure, very company specific website (customer portal), that has not to our best knowledge been breached (we administer it) could be flagged. Unfortunately I can’t check pwndlist for a site thats been flagged, only an email. If your flagging a site as breached because a carless user has allowed their login credentials linked to that site, to be stolen (via a trojan for example), then thats a step too far, you may as well flag every site on the internet in that case.

      • damien says:

        “Is what your saying that because someone else’s account, linked to a website, appears on pwndlist, you flag that website as security breached? If a hacker posts a subset of account data that results in pwndlist flagging a site, then it is reasonable to flag the entire site.”
        -> Yes. But as far as I know pwnedlist “crawls” the web to find breach data posted to by hackers on websites like pastebin.com; these kinds of posts usually have a partial/full credential database dump, depending on the website it’s either username:password or username:hash. I’ve never seen an occurrence of a single username/password posted, Pwnedlist specializes on massive credential dumps made publicly available on the web.

        So for example, pwnedlist finds a dump on pastebin.com looking like this:

        “Credential dump for xyz.com”
        michel@gmail.com:MyPassword
        guy@orange.fr:Sup3erPassw0rd
        ( … Thousand more accounts …)

        We will flag xyz.com as breached and notify all Dashlane users who have accounts on xyz.com.

        You seemed concerned about a specific website on which we signaled a breach, care to tell me which one ? Maybe I can find more information about it.

      • austinfrance says:

        Sent you an email.

  2. Soph says:

    Dashlane is a program with many problems and bugs, but really many….
    I do not recommend it.

    • Damien says:

      Could you elaborate ? 🙂

      • austinfrance says:

        I know you are not responding to me, but I had to stop using dashlane on OSX due to memory leaks causing my system to suffer due to dashlane. I tried to help you guys out by sending you lots of info but nothing ever came of it. That coupled with improvements last pass had made caused me to switch back to last pass.

        The problem was with the dashlane chrome plugin:

        6966 Plug-in Dashlane : Resident 325,632k Shared 120,832k Private269,312k Virtual 1,162,240k

        Which I believe I tracked down to be a problem with or related to kwift.CHROME.min.js used by the plugin.

      • Damien says:

        Sorry to hear this. We’re working on fixing memory leaks but the work is far from done.
        We’ll let you know when we’re satisfied with the progress made on leaks and maybe you could come back to us 🙂

      • Soph says:

        yes of course. Dashlane do not provide good extensions for Chrome but also for Internet Explorer and other… these extensions are incomplete and work very bad and not even at all. If you buy Dashlane and ask you support, you are not listened to and serviced. For having the experience, I do not consider this as serious company. They want to revolutionize the internet with their application, in my opinion it destroys. I turned to another application, most old but stable and that works without any problem. That is what I have to say about Dashlane.

  3. syost says:

    How about updating again to say that Dashlane acknowledged the memory leak issue? It’s useful that you note issues, but if you’re not paying for it, then a fair deal is at least not turn people away because of inaccurate status.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s