Two cyber incidents to discuss.
Kaseya’s Network Detective tool has been found to contain two critical vulnerabilities that may endanger Managed Service Providers and their clients. These flaws, identified by the cybersecurity firm Galactic Advisors, involve the insecure storage of administrative passwords in plain text and the use of weak encryption methods, potentially exposing sensitive data across managed environments. Cody Kretsinger, a principal security advisory at Galactic Advisors, emphasized the urgency for Managed Service Providers to update their instances of Network Detective to the latest version and eliminate any logs related to vulnerable versions. Failure to act could allow malicious hackers to exploit these vulnerabilities, gaining unauthorized access to high-level accounts. Jim Lippie, Kaseya’s chief product officer, acknowledged the partnership with Galactic Advisors in addressing these issues, highlighting the importance of collaboration in strengthening the Managed Service Provider ecosystem.
A recent cybersecurity incident has revealed that a vulnerability in McDonald’s chatbot job application platform exposed the chats of more than 64 million job applications across the United States. Security researchers Ian Carroll and Sam Curry discovered that the platform, known as McHire, utilized weak default credentials – a password of 123456 – allowing unauthorized access to sensitive applicant data. The researchers found that by manipulating a simple parameter in the platform’s API, they could access full chat transcripts and personal information of applicants. This type of vulnerability, known as Insecure Direct Object Reference, highlights serious flaws in the platform’s security measures. Following the incident, McDonald’s quickly acknowledged the issue and worked with the platform provider, Paradox.ai, to implement necessary fixes. Paradox.ai confirmed that the vulnerability has been mitigated and that they are conducting a systems review to prevent future occurrences.
Why do we care?
Network Detective is widely used by MSPs for network assessments and audits—exactly the kind of tool that requires access to sensitive credentials and client environments. Storing admin passwords in plaintext and using weak encryption puts entire client ecosystems at risk if exploited. One should question how this happens… yet remember, it happens at all sizes. McDonald’s 123456 password shows it’s not about size.
Both cases reinforce that MSPs are deeply exposed to upstream vendor security practices. Clients rarely distinguish between vendor and provider when data is compromised—they hold their MSP responsible. Clients may resist discussions about these risks unless tied to a direct business impact, making it hard for providers to justify investing time in vendor due diligence.