From the Desk of Kaleb Jacob,

Just recently, Cisco put out a press release that their DUO product had suffered a compromise that impacted approximately 1% of their clients that use it. They also indicated that they are reaching out to impacted clients individually and they provided an email address to inquire about it, and we did. We received a timely response that our organization and the clients within were not impacted and we felt it was important to let our customers know since this is a product that our Complete Support clients use as an important safety measure. The article is below, but in layman’s terms, here is what happened. The service itself was not compromised meaning that the DUO service was not circumvented. Instead, data was extracted (techies love to use the word “exfiltrated” BTW) and could be used for future phishing or hacking. Specifically, the SMS function of the product was exposed meaning that phone numbers may have been accessed which could be used for phishing attempts. The vast majority of our clients use the phone app method to authenticate a session, and some use Yubikeys which are an encrypted USB fob to validate your identity without requiring a phone app. Again, Cisco has informed us that our clients are not affected and we can provide this upon request.

This is a reminder of the cyber landscape today, which is only becoming more dangerous. All too many times, I come across people in my travels that feel immune to invisible threats that are constantly evolving and always knocking at your door. One click can cause major problems for an organization and technology like DUO is critical to keeping computer users safe. There will be breaches of these products in the future, but the key is that it’s still better to have it. You should know that there is no single product that can keep you completely safe, and most of you have heard me call security a recipe where the ingredients change periodically.

We are thankful that we are informed when these breaches occur and know that we look further into these reports to essentially fact-check a press release whenever possible because sometimes, we are only told half of the story. An example was when the password vault LastPass was lightly breached in August 2023, but by November they were forced to admit that it was far more grave. Knowing that in August would have caused less headaches if people could have changed their passwords at that time. While LastPass wasn’t a product we promoted, we still say that a password vault is highly recommended despite the risk.

Know that we will stay on top of this one and publish any updates if they are released. As always, reach out to us if you have any questions.

Cisco Duo warns third-party data breach exposed SMS MFA logs