 So Ninja RMM is cloud RMM software for MSP and IT pros. It's, you know, tools and automation that's popularly used amongst MSPs. I am not a user, nor have I ever been a user of Ninja RMM. So I want to disclose that. I want to also say this is not to bash on Ninja RMM, but this is to raise some concerns. And I do use for full disclosure, a competing product. I'm not paid by anyone to do this. I'm doing this of my own free will, I guess you could say, and no one's sponsoring this unless there's some ad on the channel, which isn't exactly the same as a sponsor. All right, so we get that out of the way. So this is, like I said, not just a bash on them, but I'm browsing through Reddit as I do and reading through some of the posts. And someone had a title, it said, heads up Ninja RMM being spoofed over in the Reddit MSP subreddit. Well, and I'm gonna leave links to all this so you guys can read through this yourselves. And this is the status of it right now. This was only posted 13 hours ago, when there's still responses coming in on this because this is very concerning. So first, Eric at Ninja RMM was apparently sending out emails that look like some invoice payment that linked to a spoofed Office 365 sign-in to try to steal your credentials. And so this is what the screenshots are here. And the person that submitted it says, I don't have any relationship with Ninja RMM apart from requesting a demo a year or two ago, I just got this email from my Office 365 account. So this is very concerning. This means someone got into their system. So here is AJ Ninja PM. AJ appears based on his username to work for them. I looked through the history, lots of posts, you know, talking about and suggesting people to contact sales at Ninja RMM. So hi, this is AJ, this is AJ, Eric's email got hacked. We are fixing it right now. Thanks for the heads up. And people go into ranting about the two factor. And later, AJ posted this, and this is where it gets scary. First thing he posts was guys were talking apples and oranges, the mail account of one user was hacked. We use Office 365. This is not related to our application, so nothing to worry about. Nothing to worry about is not how we would raise this. And the reason why is if you compromise a salesperson who has access to account information, that salesperson may or may not have passwords, may or may not have all the details they need, but has at least some level of access. And that's an edge for a hacker to get in there and start having more knowledge. They have, you know, transactional history of how the salesperson engineered maybe with whoever the people that were interacted. Obviously, they sent an email to this person who only requested a demo. So it looks like they're probably just using something to automatically pull through context and spoof. But what if they have more access? And being able to imitate your sales guy and being able to set up new accounts and gaining more access into the ninja system becomes kind of scary. They had it on there. And you know, people going on about the two factor. And this is what AJ had to say six hours ago as of now it is 9 a.m. on July 27th. We don't use SharePoint or OneDrive. We turned on two factor throughout the company right after the incident and are examining things. We turned it on after, oh, great. But a company that does HIPAA IT compliance for MSPs and monitoring and learning for MSPs and talks about GDPR and privacy policies and is a security company in the realm of helping out other IT companies as an automation tool. This worries me a bit. So partly, like I said, I'm not here to bash on, but I am here to raise some concerns and questions and I really hope they do a full debrief of what went wrong and how they're planning to fix it. Sounds like they plan to fix it by turning on two factor, which is wonderful, but that worries me when I see companies like that. You know, the first comment below is, we're a two man shop. We've used 2FA from day one. And that's how we are. We have always used two factor authentication is even on things that are internally locked down like our Wiki, we have two factor turned on. Even though you can't even access it outside this building and you can't access it from without a restricted computer, it's only a couple IP addresses that restrict access control policies that allow it username, password and two factor. Why? Because it supports it. Just because it's internally locked down doesn't mean I don't do it. And this of course goes doubly so for all of our more accessible things. We're a G Suite user. So all of our staff that log into G Suite all have two factor turned on. This is just, you know, standard power for the course using some form of two factor authentication depending on how the application supports it. So it's very concerning to me that a company providing security for IT companies do this and it's just very worrisome. I'm more than happy if someone from them wants to reach out to me and get in a discussion about it but I'd like a full debrief not a marketing speak about this. Like, hey, we made a mistake. We did not turn it on. This is how we're gonna go forward. Because we're placing a lot of trust in these companies to do things. And this is why I'm always careful when everyone says, hey, did you try this company that just started up? They're half the price of company Y. And this is sometimes not the best way to approach it. You have to really think about this because, you know, for us, we're managing hundreds of computers with our RMM tool. So the security of that RMM tool is paramount. And companies, you know, they can't just run fast and loose going, yeah, it was inconvenient to turn two factor on but hey, since we got hectic, I guess we gotta turn it on. Like I said, I'm not here to bash on. I'm here to raise some concern, raise some questions. And I think they can gain the public's trust back or the private, however you wanna look at it. The users of the tool or people interested tool by doing a full disclosure. Mistakes happen, we're human. I hope to never make such a mistake, but I am human, it can happen. So, but the best way to gain the trust of the public back is gonna be do his disclosures. Talk about, look, we are human. We made a mistake. We should have had this turned on. And now we do. And going forward, we're gonna be reexamining this and this is now a company policy. Thank you. Cause we have enough problems, managing security for our clients. We don't need security problems coming from the tools that we use because well, that only makes our life that much harder as an IT company if there's security problems there. So, that's just my thoughts on it. I wanted to share them and I'll leave a link here so you can read cause the discussion, there's still people updating two hours ago, six hours ago. There may be more people on there so I'm really hoping there's a full disclosure and a write up on this. And if someone from in German would like to have a real technical discussion about what happened there and how they're gonna fix it, that'd be great. I mean, I'm interested in this. Cause it's not that I'm trying to badmouth them as a company. I'm just saying, you guys didn't have two factor. It's kind of a face palm moment here. And I think they're thinking the same thing. Trust me. These guys are going, wow, we're a big company. We should have, you know, someone's evaluating some of these things right now. As we speak, I'm positive. There's a lot of activity at the office over there. Thanks for watching. If you liked this video, go ahead and click the thumbs up. Leave us some feedback below to let us know any details what you like and didn't like as well because we love hearing the feedback or if you just want to say thanks, leave a comment. If you wanted to be notified of new videos as they come out, go ahead and hit the subscribe and the bell icon that lets YouTube know that you're interested in notifications. Hopefully they send them as we've learned with YouTube. Anyways, if you want to contract us for consulting services, you go ahead and hit launch systems.com and you can reach out to us for all the projects that we can do and help you. We work with a lot of small businesses, IT companies, even some large companies and you can farm different work out to us or just hire us as a consultant to help design your network. Also, if you want to help the channel in other ways, we have a Patreon. We have affiliate links. You'll find them in the description. You'll also find recommendations to other affiliate links and things you can sign up for on LawrenceSystems.com. Once again, thanks for watching and I'll see you in the next video.