Dashlane has published an explanation of how attackers managed to download encrypted password vaults from its service - and the technique was simpler than you might expect. The key was volume: by targeting large numbers of accounts simultaneously, attackers played a numbers game where even a small success rate translated to real damage.
The most likely attack method is credential stuffing - where stolen username and password combinations from previous data breaches are tested en masse against a target service. With billions of leaked credentials circulating on criminal marketplaces, mass automated attacks give attackers enough attempts that some will inevitably succeed.
The partial good news is that what attackers got were encrypted vaults, not readable passwords. Each vault is locked with a user's master password, so attackers need to crack that before accessing anything useful. Strong, unique master passwords (16+ characters, not based on dictionary words or personal details) are computationally expensive to crack. Weak or reused ones are not.
If you use Dashlane: change your master password to something long and unique, enable two-factor authentication if you haven't already, and treat your master password as seriously as you'd treat the keys to a safe deposit box. Reusing it on any other site defeats the purpose entirely.
The incident is a reminder that password managers, while still one of the best security tools available, are not impervious. The encrypted-vault-at-rest model protects against server-side breaches far better than plain-text storage - but the master password remains the single point of failure. Protecting that one credential is the whole job.