Dashlane Confirms Hackers Stole Password Vaults, Pentagon Location Tracking, and Hackers Trick Meta's AI
Dashlane confirms hackers stole around 20 encrypted password vaults, and it's being quiet about how. Plus US troops tracked via location data, Europe ditching US tech, and a wild Meta AI hijack.
📰
Listen to the weekly podcast on Apple Podcasts, Spotify, other podcast apps, or RSS. You can also watch Surveillance Report on YouTube or Techlore.TV
On Our Radar 🎯
Dashlane Got Breached, And It's Being Way Too Quiet
A password manager getting compromised is a headline nobody wants to read, but we got it this week: Dashlane confirmed that hackers obtained at least a dozen, likely around 20, encrypted customer vaults during a recent attack. There are a lot of asterisks on this so far, but it's already starting to feel a lot like the LastPass data breach from a few years ago...
Here's what we actually know, and it's not much so far. Dashlane says hackers brute-forced their way past the company's two-factor authentication and got into roughly 20 customer accounts, then downloaded copies of those encrypted vaults. The company claims there's no evidence its own systems were compromised, but it hasn't explained how the attackers defeated 2FA, hasn't said whether a ransom was demanded, and didn't respond to requests for comment. I'm left wondering how vaults were stolen without the attackers compromising their systems...?
The (somewhat) reassuring part is that these were encrypted vaults, meaning those user's data should be encrypted. But LastPass taught us that "encrypted" isn't a magic word. Attackers who steal an encrypted vault can sit and brute-force it for as long as it takes, and people who used weak master passwords in the LastPass breach have seen millions of dollars drained from crypto wallets years after the original breach—and those vaults are still being attacked today. So the concern isn't really today, it's the slow attack against whoever in that group of 20 had a weak master password.
The other takeaway: Dashlane needs to step up. This is the most sensitive software a person can use, it's literal access to your entire life. Even if the investigation is genuinely ongoing, there's no excuse for not reaching out directly to the affected customers with specifics of what's currently known and not known.
What you can do: No matter which password manager you use, make sure your master password is long, strong, and unique. Use a security key if you're able to for phishing resistance. If you're a Dashlane customer, watch for direct communication from them if they decide to step up. I'm expecting some more updates on this one!
Bits & Bytes 🤖
~ Story 1: The Pentagon Admits US Troops Were Tracked With Commercial Location Data
Senator Ron Wyden revealed the US Department of Defense confirmed that adversaries surveilled military personnel using commercial location data, the same kind harvested by app trackers and SDKs, aggregated by data brokers, and sold to anyone willing to pay. Wyden called the data broker industry a national security threat.
My take: You can't build a surveillance economy that only watches "regular" people! The same data broker pipeline that tracks you also tracks soldiers, politicians, and everyone else. For once, "national security threat" is being applied to something that genuinely is one, and the fix isn't exemptions for the powerful; it's actual privacy protections for everyone. We're now in the world where even those in power can't escape these issues, and the sooner we guarantee basic digital rights—the sooner we can finally start getting ahead of this.
~ Story 2: Europe Is Accelerating Its Move Away From Big Tech
Europe is doing what it can to move away from big tech companies with Euro Office! This means they are dropping Google in favor of Qwant, swapping Microsoft for Nextcloud, and Gmail for Tuta...this is all part of a broader European push toward digital sovereignty.
My take: This is ultimately a geopolitical story, but the message is simple: if even entire countries are realizing the risk of depending on big tech, that's a signal these companies aren't just more powerful than individuals, they're more powerful than governments. The world is waking up to the harsh reality of the havoc these companies have caused (and continue to cause) and everyone's looking for a way off the sinking ship.
~ Story 3: Hackers Hijacked Celebrity Instagram Accounts By Just Asking Meta's AI
In one of the most absurd stories of the year, hackers gained access to high-profile Instagram accounts by essentially just asking for an email change, and the AI complied. Meta has since started alerting affected users.
My take: A support chatbot with the power to modify account details is a reckless design decision, and reflects Meta's lack of care for user safety. This is the same company firing real people in the effort to replace them with AI, the same company trying to add AI 'engagement' on their platforms to keep people engaged, the same platform knowingly exploiting children, the same platform who's CEO wants to AI-clone himself in meetings, and that same CEO won't even let his children use the platform. This story is just one more infuriating drop in the bucket of Meta's decades of controversies.
This Week on Techlore 📺
This week we had a couple exciting pieces of content! To start, we had DuckDuckGo on Techlore Talks to discuss their role in the fight for digital rights:
DuckDuckGo’s Director of Product on Ads, Google, and the Ecosystem They’re Actually Building
Techlore Talks brings you in-depth conversations with the experts at the forefront of digital rights, privacy and security.
Tori
And we partnered with Cape, the private cellular provider, to make an in-depth guide on what all of us can realistically do to protect ourselves on cellular networks:
The Truth About Phone Carrier Tracking (It’s Worse Than You Think)
Your cell carrier knows your name, your location, who you called, when you called them, how long you talked, and more. What’s worse, this data sits on their servers for years. VPNs and Signal help, but they don’t touch the infrastructure layer. Here’s what you can actually do, and how
Tori
And finally, our SPA Tools are OFFICIALLY LIVE! Here's how it all comes together:
Take the SPA Quiz to discover your archetype. Carry it into SPA Tools, where that same archetype filters the best tools for you. The VPN Finder puts your top VPN contenders side by side until the right choice is obvious. And any time you want to understand why, the brand new SPA Wiki is right there for you to learn. I'll be doing more formal announcements for these soon, they took months of effort and I wish I had access to these tools when I started my journey.
Action Item ✅
Take two minutes this week to check your password manager's master password. If it's anything short, reused, or guessable, change it to something long, unique, and random, ideally a passphrase you can actually remember. The Dashlane breach is a reminder that an encrypted vault only protects you as well as the password locking it.
This Week's Sources
Highlight: Dashlane Confirms Hackers Stole Customer Password Vaults
- https://techcrunch.com/2026/06/02/password-manager-dashlane-says-hackers-stole-some-customers-password-vaults/
- https://arstechnica.com/security/2026/06/dashlane-issues-opaque-advisory-warning-20-encrypted-vaults-were-stolen/
Story 1: Pentagon Confirms US Troops Targeted With Commercial Location Data — Senator Calls Ad Industry a National Security Threat
Story 2: Europe Pulls Away From US Tech — Parliament Drops Google, France Refuses RCS E2EE, Euro-Office Launches With Tuta
- https://tech.slashdot.org/story/26/06/02/1840204/european-parliament-ditches-google-for-french-search-firm
- https://tech.slashdot.org/story/26/06/03/2028239/eu-plots-to-abandon-us-tech
- https://www.igen.fr/services/2026/05/labsence-du-rcs-chiffre-de-bout-en-bout-en-france-est-un-probleme-politique-pas-technique-156175
- https://nextcloud.com/blog/euro-office-general-availability-set-for-june-9/
- https://tuta.com/blog/tuta-joins-euro-office
Story 3: Hackers Hijacked Celebrity Instagram Accounts by Tricking Meta's AI Support Chatbot
- https://techcrunch.com/2026/06/01/hackers-hijacked-instagram-accounts-by-tricking-meta-ai-support-chatbot-into-granting-access/
- https://arstechnica.com/ai/2026/06/meta-ai-support-chatbot-gave-hackers-access-to-notable-instagram-accounts/
- https://techcrunch.com/2026/06/03/instagram-is-alerting-users-who-were-targeted-by-hackers-during-ai-chatbot-attacks/
The Defense Bulletin
Data Breaches
- https://www.bleepingcomputer.com/news/security/carnival-cruise-confirms-data-breach-affecting-nearly-6-million-people/
- https://www.bleepingcomputer.com/news/security/charter-communications-data-breach-affects-49-million-accounts/
- https://www.bleepingcomputer.com/news/security/california-ag-sues-23andme-over-2023-breach-exposing-health-data/
- https://techcrunch.com/2026/06/03/ultrahuman-says-hackers-accessed-customers-wellness-data-via-internal-tool/
- https://techcrunch.com/2026/05/28/a-security-lapse-at-prison-payphone-service-pay-tel-publicly-exposed-over-300000-callers-drivers-licenses/
- https://techcrunch.com/2026/06/01/grand-theft-auto-v-cheat-service-gets-hacked-exposing-thousands-of-gamers/
- https://techcrunch.com/2026/06/03/the-worst-hacks-and-breaches-of-2026-so-far/
Threats
- https://www.bleepingcomputer.com/news/security/google-fixes-one-actively-exploited-android-zero-day-124-flaws/
- https://www.bleepingcomputer.com/news/security/google-chrome-adds-session-cookie-theft-protection-for-all-users/
- https://www.bleepingcomputer.com/news/security/acer-warns-of-max-severity-zero-days-affecting-wave-7-routers/
- https://www.bleepingcomputer.com/news/security/new-gogs-zero-day-flaw-lets-hackers-get-remote-code-execution/
- https://www.bleepingcomputer.com/news/security/new-http-2-bomb-dos-attack-crashes-web-servers-in-under-a-minute/
- https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/
- https://www.bleepingcomputer.com/news/security/wp-maps-pro-bug-exploited-to-create-admin-accounts-on-wordpress-sites/
- https://www.bleepingcomputer.com/news/security/critical-kirki-flaw-exploited-to-hijack-wordpress-admin-accounts/
- https://www.bleepingcomputer.com/news/security/wordpress-malware-campaign-hides-payloads-in-steam-profiles/
- https://www.bleepingcomputer.com/news/security/over-116-000-minecraft-systems-infected-in-weedhack-malware-campaign/
- https://techcrunch.com/2026/05/28/hackers-are-trying-to-steal-signal-users-backups-in-new-wave-of-phishing-attacks/
- https://www.bleepingcomputer.com/news/security/fbi-warns-of-fake-fifa-websites-running-world-cup-fraud-schemes/
- https://www.wired.com/story/websites-can-now-spy-on-you-through-your-hard-drive/
- https://techcrunch.com/2026/05/29/microsoft-under-fire-for-threatening-security-researcher-with-criminal-investigation/
- https://www.404media.co/headway-therapy-facial-scan-biometric-data-identity-verification/
FOSS+ Updates
- https://blog.torproject.org/new-release-tor-browser-15015/
- https://www.mullvad.net/en/blog/2026/6/1/2026-security-assessment-of-our-android-app/
- https://proton.me/blog/proton-mail-connect-gmail
- https://techcrunch.com/2026/06/01/duckduckgo-makes-its-no-ai-search-engine-easier-to-access-as-its-traffic-booms/
- https://alternativeto.net/news/2026/6/rocky-linux-10-2-brings-post-quantum-cryptography-and-flatpak-defaults/
- https://alternativeto.net/news/2026/5/rocky-linux-9-8-released-with-major-software-updates-and-new-image-builder-features/
- https://alternativeto.net/news/2026/6/opensuse-tumbleweed-updates-desktop-environments-kernel-mesa-and-security-fixes/
- https://alternativeto.net/news/2026/6/nixos-26-05-yarara-launches-with-linux-6-18-systemd-by-default-for-stage-1-and-gnome-50/
Written by
Know Your Rights. Protect Your Freedom.
Digital Rights Digest—threats to your freedom and how to fight back. A five-minute weekly read, 100% free.
