[BOSSES NAME],
Recently, a rather large database provider named MongoHQ had a security incident allowing the attackers to gain access to all of their customer databases.
Although we are not directly affected by this, it does raise a possible question:
- Are we fully prepared for a similar intrusion?
- Does our admin/support system have similar vulnerabilities?
Here is an excerpt from their security posting (bold is mine):
We immediately responded to this event, by shutting down our employee support applications and beginning an investigation which quickly isolated the improperly secured account. We have determined that the unauthorized access was enabled by a credential that had been shared with a compromised personal account.
No internal application was made available to our team before a team-wide credential reset and audit.
Users of our support application have access to account information, including lists of databases, email addresses, and bcrypt-hashed user credentials.
We too have an admin system available for employees that can access personal data.
For this reason, I encourage [COMPANY] to sponsor the purchase, education and use of 1Password for all employees with
access to internal systems. Password re-use causes security concerns for us and for the employees personal accounts.
1Password will eliminate password re-use when used properly. This won't make our system bullet-proof, but it decreases exposure of our support and admin systems when a 3rd party (i.e Linkedin) is compromised.
Let me know if you have questions or want to talk further about this, including how we should go about educating employees.
Best,
[YOUR NAME]