Webroot 2FA Now Mandatory As Hackers Target MSPs

Webroot has made two-factor authentication mandatory as attackers continue to target MSP software platforms in a bid to spread ransomware across end-customer systems, the cybersecurity company confirmed to ChannelE2E and MSSP Alert.

In a statement to ChannelE2E, Webroot was quick to assure MSPs (managed IT service providers) and customers that the company “was not breached and our products were not compromised.” Also, the company pointed to its new mandatory stance on two-factor authentication (2FA) amid recent “threat actor” activity.

Webroot SVP Chad Bacher

Chad Bacher, SVP of products, Webroot, a Carbonite company, said:

“We all know that two-factor authentication (2FA) is a cyber hygiene best practice, and we’ve encouraged customers to use the Webroot Management Console’s built-in 2FA for some time.

Recently, Webroot’s Advanced Malware Removal team discovered that a small number of customers were impacted by a threat actor exploiting a combination of customers’ weak cyber hygiene practices around authentication and RDP.

To ensure the best protection for the entire Webroot customer community, we decided it is time to make two-factor authentication mandatory. We did this by conducting a console logout and software update the morning of June 20.

We are always closely monitoring the threat environment, and will continue to take proactive measures like this to provide the best protection possible for customers.”

FBI, Department of Homeland Security Warning to MSPs

Hackers have repeatedly targeted MSP software, management consoles, remote control systems and RMM (remote monitoring and management) platforms to target end-customer systems with ransomware, according to an FBI and U.S. Department of Homeland Security warning to MSPs.

Related Content


Return Home



    Eric Rieger:

    Except that Webroot doesn’t really have a true 2FA solution. Their second pass at authentication is asking for 2 characters from the original password which is beyond dumb. They reference it as your “security code” but anyone who has used it knows that’s what it’s referencing so I’m guessing the hackers know that too. I’d expect better from a company in the security space. i was floored when our techs told me that this morning.

    Damian Stalls:

    It’s not 2 characters from your original password. You are required to have a password and a pin code. The login asks for 2 characters from that pin which is either 6 or 8 characters long. Better than nothing but true MFA would be better.

    Overall we have seen a decline in effectiveness from Webroot and in the process of consolidating more services with Sophos.

    Lorenzo Celussi:

    Hi. Any plan to introduce password expiration inside GSM console and/or a true 2FA?
    Thank you.


    The loss of effectiveness of webroot is obvious if compared to that of other vendors. a real F2a (mail-sms- google authenticator) is absolutely necessary


    This is NOT 2FA. A key logger running with a bit of history and WHAMO! Webroot – Get it together. Make this product secure so we can keep using it.


    Not only is this not true 2FA, but the requests for true 2FA in Webroot have been ongoing for *five years* with the continued, repeated “we’re looking into it”, “we’re working on it”, etc. etc.

    This is perhaps the deepest record scratchrecord scratchrec…..I’ve seen in a *security* company.
    It’s hard to believe Webroot is actually security-focused and customer-driven based on feature requests; I myself have made multiple ones that have gone into the “looking into it” hopper along with other dedicated community members, only to see them die on the vine.

    If I don’t see a true 2FA solution in the next six months, I’ll be pushing our company (an MSP with multiple clients) to another product I can have more faith in. I can only hope Carbonite’s acquisition leads to more concern.

Leave a Reply

Your email address will not be published.