Important Statement on Enforced Password Rotation & MFA

Dear IT Glue Customers,

On October 8th we shared communications with all IT Glue users that outlined enhanced security measures being implemented to help protect our customers and their customers. Based on a significant increase in nefarious activity by individuals attempting to access IT Glue accounts utilizing credential stuffing tactics, we made the decision to enforce mandatory password resets and multi-factor authentication (MFA) setup for all user accounts in order to ensure a higher level of security for their environments.

We would like to stress, once again, to all IT Glue customers that there is no evidence of a breach of IT Glue. What our advanced monitoring tools have detected is that there has been a significant increase in attempts to access IT Glue users accounts in a concerted credentials stuffing campaign. This past August, the Federal Bureau of Investigation (FBI) warned of a rising trend of cybercriminals using proxies to conduct large-scale credential stuffing attacks across various companies. According to the FBI, “Credential stuffing attacks, commonly referred to as account cracking, apply valid username and password combinations, also known as user credentials or “combo lists”, from previously compromised online resources or data leaks.”

We take the security of the software tools we provide our customers very seriously, and we have a dedicated team working to protect you and your business against the relentless, increasing stream of attacks typical of today’s threat landscape. As a key part of IT Glue’s architecture, there are several security capabilities designed to help our customers protect themselves.

Not only is IT Glue SOC-2 Type II compliant, it has numerous user-controlled security measures to help protect our customers’ valuable data, including:

  • IP access control: Restricts access to approved IP addresses only.
  • IT Glue Vault: A host-proof-hosting structure that allows users to encrypt and decrypt exclusively at the endpoint with a user-specific passphrase. This means that the IT Glue system never sees passwords in their unencrypted form.
  • Automated workflows for accessing and changing passwords: Notifies target users when a sensitive or important password is accessed, added, updated or destroyed.
  • SSO: Users are redirected to an identity provider where they can complete authentication based on conditional access policies
  • MFA: During sign-on, users are prompted for their username and password plus an authentication code generated by an authenticator application to add an additional layer of security.
  • Roles & permissions: User roles and access permissions are controlled by designated Admins to restrict user access to assets in IT Glue.
  • Activity logs: IT Glue account activity can always be monitored and reviewed.

Our team remains hyper-focused on proactively monitoring this situation and we are confident that the enforcements put in place over the past few days are necessary to help our customers maintain a proper level of security. To reiterate, there is zero evidence that there has been a breach of IT Glue. We promise to keep our customers updated on any additional information and appreciate your continued support.

Regards,
Jason Manar
Chief Information Security Officer
Kaseya