Password Manager Dashlane Suspends Accounts After Brute-Force Attacks
All dispatches
Security1 Jun 20268 min read

Password Manager Dashlane Suspends Accounts After Brute-Force Attacks

🐑
Rodney
Head of Tech Realism · Black Sheep Support
Share this dispatch

A recent incident involving Dashlane, a widely used password manager, saw numerous customer accounts suspended in response to a series of brute-force attacks. These attacks, which systematically attempt many password combinations to gain unauthorised access, caused significant disruption for users. For businesses increasingly reliant on password managers and other cloud services, this event serves as a sharp reminder of the persistent vulnerabilities inherent in even established platforms. It underscores the necessity for robust, multi-layered security protocols that extend beyond a single solution.

What a brute-force attack actually means

A brute-force attack is a method of gaining access to a system or account by trying every possible combination of characters until the correct password is found. It is, in essence, a digital form of trial and error, executed with extreme speed by automated tools. Unlike phishing, which manipulates users into revealing credentials, or malware, which infects systems, brute-force attacks are a direct assault on the authentication mechanism itself. The attacker doesn't need prior knowledge of the password; they simply attempt every permutation. Common targets include login portals for email, cloud services, remote access (like RDP or VPN), and, as we've seen, password managers. The goal is straightforward: to compromise an account by sheer persistence, often exploiting weak passwords or the absence of stronger protective measures.

Why it matters for UK SMEs

For UK SMEs, an incident like the one experienced by Dashlane isn't merely an inconvenience; it carries tangible commercial, operational, and regulatory implications. Firstly, operational disruption is immediate. If your business relies on a password manager to access critical services, a suspension means a sudden inability to retrieve vital login credentials. This can halt operations, impact productivity, and potentially lead to financial loss through downtime. Consider the ripple effect: if you can't log into your accounting software, CRM, or banking portal, essential business functions cease.

Secondly, there are significant regulatory concerns. Under the General Data Protection Regulation (GDPR), businesses are obligated to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A successful brute-force attack, particularly one that leads to a data breach, can be a clear indicator of insufficient security. The Information Commissioner's Office (ICO) in the UK takes a dim view of inadequate cyber defences, and penalties can be substantial, alongside the inevitable reputational damage.

Furthermore, compliance frameworks like Cyber Essentials, which many UK SMEs pursue, explicitly require robust password policies and, critically, multi-factor authentication (MFA) to guard against such attacks. Failing to meet these standards not only makes your business a softer target but also jeopardises your ability to secure certain contracts or insurance policies that mandate such certification. The National Cyber Security Centre (NCSC) consistently advises on the importance of strong, unique passwords and MFA as foundational security practices. Ignoring these recommendations isn't just poor practice; it's a risk to your business continuity and its standing.

How to secure your business against brute-force attacks: a practical walkthrough

Protecting your business from brute-force attacks requires a multi-faceted approach, moving beyond simple password strength to encompass policy, technology, and user behaviour.

Implement Robust Password Policies

Your first line of defence is a strong password. This means enforcing policies that mandate length and complexity. We typically recommend a minimum of 12 characters, incorporating a mix of upper and lower-case letters, numbers, and symbols. Crucially, passwords must be unique. Reusing passwords across different services creates a single point of failure; if one service is compromised, all others using the same password become vulnerable. While forced password rotation used to be common advice, the NCSC now suggests that regular, mandatory changes, without a known compromise, often lead to weaker, more predictable passwords. Focus instead on unique, long, and complex passwords, only changing them if a breach is suspected. A reputable password manager, when implemented correctly with strong master passwords and MFA, is a valuable tool here.

Enforce Multi-Factor Authentication (MFA)

This is arguably the single most effective deterrent against brute-force attacks. MFA requires users to provide two or more verification factors to gain access to an account. This typically involves something the user knows (a password), combined with something the user has (a mobile phone, a hardware token) or something the user is (biometrics). Even if an attacker manages to guess a password through brute-force, they will be blocked without the second factor. Common MFA methods include authenticator apps (e.g., Microsoft Authenticator, Google Authenticator), hardware security keys (e.g., YubiKey), or, with some caveats, SMS codes. While SMS-based MFA is better than nothing, it's generally considered less secure than app-based or hardware token methods due to potential SIM-swapping attacks.

  • Experience Signal: On a recent client tenant audit, we found 60% of users in a 30-person engineering firm had no MFA enrolled on their primary Microsoft 365 accounts, leaving their email and cloud files critically exposed. Addressing this was the first priority during their onboarding process.

Implement Account Lockout Policies

Configure your systems to automatically lock accounts after a certain number of failed login attempts (e.g., three to five attempts). This significantly slows down or entirely stops brute-force attacks by preventing continuous guessing. The lockout duration can vary, from a few minutes to permanent lockout requiring administrator intervention, depending on the sensitivity of the account and the system. Balancing security with usability is key here; you don't want legitimate users to be locked out too easily.

Monitor Login Activity and Set Alerts

Proactive monitoring of login attempts is essential. Modern cloud services (like Microsoft 365, Google Workspace) and network devices provide detailed audit logs. Configure alerts for:

  • Numerous failed login attempts from a single IP address or user account.
  • Login attempts from unusual geographic locations that don't align with your business operations.
  • Logins outside of normal working hours.
  • Attempts to access highly sensitive accounts. Regularly review these logs or, better yet, integrate them into a Security Information and Event Management (SIEM) system if your scale warrants it.

Educate Your Employees

Your staff are your first and often most critical line of defence. Regular training is not optional. Employees need to understand:

  • The importance of strong, unique passwords and why they shouldn't be shared.
  • How MFA works and why it's a mandatory step.
  • How to recognise phishing attempts, which often precede brute-force attacks by attempting to harvest initial credentials.
  • Who to report suspicious activity to within your organisation. A culture of security awareness reduces the likelihood of human error leading to a breach.

Review Third-Party Service Security

The Dashlane incident highlights the risk associated with relying on external providers. Conduct due diligence on all third-party services your business uses, especially those handling sensitive data or acting as critical access points. Ask about their security protocols, their incident response plans, and their track record. Understand their data protection policies and ensure they align with your own regulatory obligations. Have contingency plans in place should a critical third-party service experience an outage or security incident. This might involve having backup access methods or alternative service providers identified.

Common mistakes we see

Based on our experience at Black Sheep Support, many SMEs, despite good intentions, often fall short on fundamental security practices, leaving them exposed to attacks like brute-force.

  1. Inadequate Password Policies: Many businesses still permit short, simple passwords or allow employees to reuse credentials across multiple platforms. This makes automated guessing far too easy.
  2. Lack of Multi-Factor Authentication (MFA): This is the most prevalent and critical oversight. While passwords can be compromised, MFA adds a vital second layer that renders most brute-force attacks ineffective.
  3. Over-reliance on Single Solutions: Solely depending on one password manager or one cloud provider without any backup access plans or diversification can lead to operational paralysis if that single solution experiences an outage or breach.
  4. Ignoring Audit Logs: Many organisations have logging enabled but fail to actively monitor or analyse these logs for suspicious login patterns or unusual activity, missing early warning signs.
  5. Insufficient Employee Training: Staff are frequently left unaware of the latest threats, the importance of their role in security, or how to identify and report suspicious emails or login requests.

Key Takeaways

  • MFA is non-negotiable: Implement multi-factor authentication on all critical business accounts; it is your strongest defence against unauthorised access.
  • Enforce robust password policies: Mandate long, complex, and unique passwords for all staff, ideally managed through a secure, well-configured password manager.
  • Diversify and back up: Do not rely solely on one security solution or provider; ensure you have alternative access methods and contingency plans.
  • Monitor and educate: Actively monitor login activity for anomalies and provide regular, practical cybersecurity training for all employees.
  • Vet third parties: Understand and assess the security posture of all third-party services your business uses.

When to call in help

Implementing and maintaining comprehensive cybersecurity measures, particularly for UK SMEs with limited internal IT resources, can be a complex and time-consuming undertaking. Keeping abreast of evolving threats, configuring intricate security policies, and ensuring continuous monitoring often requires specialist expertise that isn't readily available in-house. If your team is stretched, or you're unsure about the robustness of your current defences against attacks like brute-force, it's a sensible commercial decision to engage with specialists. An external partner can provide the necessary technical knowledge, implement best practices, and free up your internal resources to focus on core business operations.

To take the next step

Book a Discovery Call

Back to all dispatchesEnd of Intelligence · BSS Digital Dispatch

Related dispatches

Microsoft Fixes KB5089549 Windows Security Update Install Issues
Security

Microsoft Fixes KB5089549 Windows Security Update Install Issues

# Microsoft Fixes KB5089549 Windows Security Update Install Issues Microsoft has confirmed the resolution of installation issues with the KB5089549 s...

Top Cyber Agency's GitHub Blunder: Lessons for UK SMEs
Security

Top Cyber Agency's GitHub Blunder: Lessons for UK SMEs

On 19 May 2026, America's leading cyber-defense agency left passwords, keys, and tokens exposed in a public GitHub repository. If you're wondering whe...

Microsoft Tackles 17 Critical Flaws in May Patch Tuesday Update
Security

Microsoft Tackles 17 Critical Flaws in May Patch Tuesday Update

Microsoft's May 2026 Patch Tuesday update has addressed 17 critical vulnerabilities affecting Windows, Office, and SharePoint, among other products. W...