🔴 Attackers brute-forced Dashlane's 2FA and downloaded encrypted vaults. Here's what MSPs need to know

If you deploy Dashlane for clients, check your inboxes this morning.

Between May 31 and June 2, attackers ran a sustained brute-force campaign against Dashlane’s two-factor authentication, exploiting a fundamental limitation of TOTP codes.

A six-digit code gives only one million possible combinations per 30 second window. With enough automated attempts, that window is crackable. Dashlane’s security systems detected the attack and suspended affected accounts. But not before attackers successfully registered unauthorised devices on a small number of accounts and downloaded their encrypted vaults. BleepingComputer

Fewer than 20 personal plan users had vaults downloaded. Dashlane’s zero-knowledge architecture means those vaults remain unreadable without each user’s master password… so users with strong, unique master passwords are safe. Users with weak or reused master passwords are at risk of offline cracking attempts. Dashlane confirmed no breach of internal systems and says all affected accounts have been unsuspended. The incident status is currently “monitoring.” The Register

Two things worth doing today.

• First, if any of your clients use Dashlane and received a vault-risk email from Dashlane directly, treat that account as compromised and rotate the master password immediately

• Second, and more broadly, this incident is a useful reminder that TOTP 2FA is significantly weaker than most people assume. Where possible, push clients toward phishing-resistant authentication: passkeys, hardware security keys, or number-matching MFA rather than six-digit codes.

🟡 The 20 MSP just completed its 48th acquisition

The 20 MSP announced yesterday it has acquired four more managed service providers, bringing its total acquisition count to 48 since the company began its aggressive roll-up strategy. The 20 MSP

To put that number in perspective: last year, 466 separate MSP businesses were acquired worldwide: one every 19 hours, on average. The total value of those deals was $4.3 billion. And 2026 is on track to beat that.

The reason is straightforward. There’s a lot of money sitting in private equity funds that needs to be deployed, and MSPs with recurring revenue, happy clients, and clean books are exactly what those investors are looking for. Businesses that have been around for ten or fifteen years, built by founders who are starting to think about what comes next, are particularly attractive.

🟢 UK small businesses are taking their time with AI. That's not a problem… it's your opportunity.

MSP Channel Insights published a fresh piece yesterday on UK SMB AI adoption trends… and the headline finding is “cautious optimism”. MSP Channel Insights

Among small businesses with 50-99 employees, 37% have fully embraced AI and almost half are using it selectively for high-impact tasks. But below that, in the 1-49 employee range that makes up the bulk of most MSPs’ client bases, adoption drops sharply.

The gap between those two groups is almost entirely explained by one thing: access to someone who can help. Larger businesses have internal IT capacity. The smaller ones are luckier… they have you 😃

That’s hump day done. We’ll be back in your inbox tomorrow morning.