Last month, Facebook-owned WhatsApp announced it would delay enforcement of its new privacy terms, following a backlash from confused users which later led to a legal challenge in India and various regulatory investigations. WhatsApp users had misinterpreted the privacy updates as an indication that the app would begin sharing more data — including their private messages — with Facebook. Today, the company is sharing the next steps it’s taking to try to rectify the issue and clarify that’s not the case.
The mishandling of the privacy update on WhatsApp’s part led to widespread confusion and misinformation. In reality, WhatsApp had been sharing some information about its users with Facebook since 2016, following its acquisition by Facebook.
But the backlash is a solid indication of much user trust Facebook has since squandered. People immediately suspected the worst, and millions fled to alternative messaging apps, like Signal and Telegram, as a result.
Following the outcry, WhatsApp attempted to explain that the privacy update was actually focused on optional business features on the app, which allow business to see the content of messages between it and the end user, and give the businesses permission to use that information for its own marketing purposes, including advertising on Facebook. WhatsApp also said it labels conversations with businesses that are using hosting services from Facebook to manage their chats with customers, so users were aware.
Image Credits: WhatsApp
In the weeks since the debacle, WhatsApp says it spent time gathering user feedback and listening to concerns from people in various countries. The company found that users wanted assurance that WhatsApp was not reading their private messages or listening to their conversations, and that their communications were end-to-end encrypted. Users also said they wanted to know that WhatsApp wasn’t keeping logs of who they were messaging or sharing contact lists with Facebook.
These latter concerns seem valid, given that Facebook recently made its messaging systems across Facebook, Messenger and Instagram interoperable. One has to wonder when similar integrations will make their way to WhatsApp.
Today, WhatsApp says it will roll out new communications to users about the privacy update, which follows the Status update it offered back in January aimed at clarifying points of confusion. (See below).
Image Credits: WhatsApp
In a few weeks, WhatsApp will begin to roll out a small, in-app banner that will ask users to re-review the privacy policies — a change the company said users have shown to prefer over the pop-up, full-screen alert it displayed before.
When users click on “to review,” they’ll be shown a deeper summary of the changes, including added details about how WhatsApp works with Facebook. The changes stress that WhatsApp’s update don’t impact the privacy of users’ conversations, and reiterate the information about the optional business features.
Eventually, WhatsApp will begin to remind users to review and accept its updates to keep using WhatsApp. According to its prior announcement, it won’t be enforcing the new policy until May 15.
Image Credits: WhatsApp
Users will still need to be aware that their communications with businesses are not as secure as their private messages. This impacts a growing number of WhatsApp users, 175 million of which now communicate with businesses on the app, WhatsApp said in October.
In today’s blog post about the changes, WhatsApp also took a big swipe at rival messaging apps that used the confusion over the privacy update to draw in WhatsApp’s fleeing users by touting their own app’s privacy.
“We’ve seen some of our competitors try to get away with claiming they can’t see people’s messages – if an app doesn’t offer end-to-end encryption by default that means they can read your messages,” WhatsApp’s blog post read.
This seems to be a comment directed specifically towards Telegram, which often touts its “heavily encrypted” messaging app as more private alternative. But Telegram doesn’t offer end-to-end encryption by default, as apps like WhatsApp and Signal do. It uses “transport layer” encryption that protects the connection from the user to the server, a Wired article citing cybersecurity professionals explained in January. When users want an end-to-end encrypted experience for their one-on-one chats, they can enable the “secret chats” feature instead. (And this feature isn’t even available for group chats.)
In addition, WhatsApp fought back against the characterization that it’s somehow less safe because it has some limited data on users.
“Other apps say they’re better because they know even less information than WhatsApp. We believe people are looking for apps to be both reliable and safe, even if that requires WhatsApp having some limited data,” the post read. “We strive to be thoughtful on the decisions we make and we’ll continue to develop new ways of meeting these responsibilities with less information, not more,” it noted.
A couple of weeks ago SentinelOne announced it was acquiring high-speed logging platform Scalyr for $155 million. Just this morning CrowdStrike struck next, announcing it was buying unlimited logging tool Humio for $400 million.
In Humio, CrowdStrike gets a company that will provide it with the ability to collect unlimited logging information. Most companies have to pick and choose what to log and how long to keep it, but with Humio, they don’t have to make these choices with customers processing multiple terabytes of data every single day.
Humio CEO Geeta Schmidt writing in a company blog post announcing the deal described her company in similar terms to Scalyr, a data lake for log information:
“Humio had become the data lake for these enterprises enabling searches for longer periods of time and from more data sources allowing them to understand their entire environment, prepare for the unknown, proactively prevent issues, recover quickly from incidents, and get to the root cause,” she wrote.
That means with Humio in the fold, CrowdStrike can use this massive amount of data to help deal with threats and attacks in real time as they are happening, rather than reacting to them and trying to figure out what happened later, a point by the way that SentinelOne also made when it purchased Scalyr.
“The combination of real-time analytics and smart filtering built into CrowdStrike’s proprietary Threat Graph and Humio’s blazing-fast log management and index-free data ingestion dramatically accelerates our [eXtended Detection and Response (XDR)] capabilities beyond anything the market has seen to date,” CrowdStrike CEO and co-founder George Kurtz said in a statement.
While two acquisitions don’t necessarily make a trend, it’s clear that security platform players are suddenly seeing the value of being able to process the large amounts of information found in logs, and they are willing to put up some cash to get that capability. It will be interesting to see if any other security companies react with a similar move in the coming months.
Humio was founded in 2016 and raised just over $31 million, according to Pitchbook Data. Its most recent funding round came in March 2020, a $20 million Series B led by Dell Technologies Capital. It would appear to be a decent exit for the startup.
CrowdStrike was founded in 2011 and raised over $480 million along the way before going public in 2019. The deal is expected to close in the first quarter, and is subject to typical regulatory oversight.
California’s Department of Motor Vehicles is warning of a potential data breach after a contractor was hit by ransomware.
The Seattle-based Automatic Funds Transfer Services (AFTS), which the DMV said it has used for verifying changes of address with the national database since 2019, was hit by an unspecified strain of ransomware earlier this month.
In a statement sent by email, the DMV said that the attack may have compromised “the last 20 months of California vehicle registration records that contain names, addresses, license plate numbers and vehicle identification numbers.” But the DMV said AFTS does not have access to customers’ Social Security numbers, dates of birth, voter registration, immigration status or driver’s license information, and was not compromised.
The DMV said it has since stopped all data transfers to AFTS and has since initiated an emergency contract to prevent any downtime.
AFTS is used across the United States to process payments, invoices and verify addresses. Several municipalities have already confirmed that they are affected by the data breach, suggesting it may not be limited to California’s DMV. But it’s not known what kind of ransomware hit AFTS. Ransomware typically encrypts a company’s files and will unlock them in exchange for a ransom. But since many companies have backups, some ransomware groups threaten to publish the stolen files online unless the ransom is paid.
AFTS could not be immediately reached for comment. Its website is offline, with a short message: “The website for AFTS and all related payment processing website [sic] are unavailable due to technical issues. We are working on restoring them as quickly as possible.”
“We are looking at additional measures to implement to bolster security to protect information held by the DMV and companies that we contract with,” said Steve Gordon, the director of the state’s DMV.
California has more than 35 million registered vehicles.
A security lapse by a Jamaican government contractor has exposed immigration records and COVID-19 test results for hundreds of thousands of travelers who visited the island over the past year.
The Jamaican government contracted Amber Group to build the JamCOVID19 website and app, which the government uses to publish daily coronavirus figures and allows residents to self-report their symptoms. The contractor also built the website to pre-approve travel applications to visit the island during the pandemic, a process that requires travelers to upload a negative COVID-19 test result before they board their flight if they come from high-risk countries, including the United States.
But a cloud storage server storing those uploaded documents was left unprotected and without a password, and was publicly spilling out files onto the open web.
Many of the victims whose information was found on the exposed server are Americans.
The data is now secure after TechCrunch contacted Amber Group’s chief executive Dushyant Savadia, who did not comment when reached prior to publication.
The storage server, hosted on Amazon Web Services, was set to public. It’s not known for how long the data was unprotected, but contained more than 70,000 negative COVID-19 lab results, over 425,000 immigration documents authorizing travel to the island — which included the traveler’s name, date of birth and passport numbers — and over 250,000 quarantine orders dating back to June 2020, when Jamaica reopened its borders to visitors after the pandemic’s first wave. The server also contained more than 440,000 images of travelers’ signatures.
Two U.S. travelers whose lab results were among the exposed data told TechCrunch that they uploaded their COVID-19 results through the Visit Jamaica website before their travel. Once lab results are processed, travelers receive a travel authorization that they must present before boarding their flight.
Both of these documents, as well as quarantine orders that require visitors to shelter in place and several passports, were on the exposed storage server.
Travelers who are staying outside Jamaica’s so-called “resilient corridor,” a zone that covers a large portion of the island’s population, are told to install the app built by Amber Group that tracks their location and is tracked by the Ministry of Health to ensure visitors stay within the corridor. The app also requires that travelers record short “check-in” videos with a daily code sent by the government, along with their name and any symptoms.
The server exposed more than 1.1 million of those daily updating check-in videos.
An airport information flyer given to travelers arriving in Jamaica. Travelers may be required to install the JamCOVID19 app to allow the government to monitor their location and to require video check-ins. (Image: Jamaican government)
The server also contained dozens of daily timestamped spreadsheets named “PICA,” likely for the Jamaican passport, immigration and citizenship agency, but these were restricted by access permissions. But the permissions on the storage server were set so that anyone had full control of the files inside, such as allowing them to be downloaded or deleted altogether. (TechCrunch did neither, as doing so would be unlawful.)
Stephen Davidson, a spokesperson for the Jamaican Ministry of Health, did not comment when reached, or say if the government planned to inform travelers of the security lapse.
Savadia founded Amber Group in 2015 and soon launched its vehicle-tracking system, Amber Connect.
According to one report, Amber’s Savadia said the company developed JamCOVID19 “within three days” and made it available to the Jamaican government in large part for free. The contractor is billing other countries, including Grenada and the British Virgin Islands, for similar implementations, and is said to be looking for other government customers outside the Caribbean.
Savadia would not say what measures his company put in place to protect the data of paying governments.
Jamaica has recorded at least 19,300 coronavirus cases on the island to date, and more than 370 deaths.
Send tips securely over Signal and WhatsApp to +1 646-755-8849. You can also send files or documents using our SecureDrop. Learn more.
Tel Aviv-based Spectral is bringing its new DevSecOps code scanner out of stealth today and announcing a $6.2 million funding round. The startup’s programming language-agnostic service aims to automated code security development teams to help them detect potential security issues in their codebases and logs, for example. Those issues could be hardcoded API keys and other credentials, but also security misconfiguration and shadow IT assets.
The four-person founding team has a deep background in building AI, monitoring and security tools. CEO Dotan Nahum was a Chief Architect at Klarna and Conduit (now Como, though you may remember Conduit from its infamous toolbar that was later spun off), and the CTO at Como and HiredScore, for example. Other founders worked on building monitoring tools at Elastic and HP and on security at Akamai. As Nahum told me, the idea for Spectral came to him and co-founder and COO Idan Didi during their shared time at mobile application build Conduit/Como.
“We basically stored certificates for every client that we had, so we could submit their apps to the various marketplaces,” Nahum told me of his experience at Counduit/Como. “That certificate really proves that you are who you are and it’s super sensitive. And at each point at these companies, I really didn’t have the right tools to actually make sure that we’re storing, handling, detecting [this information] and making sure that it doesn’t leak anywhere.”
Nahum decided to quit his current job and started to build a prototype to see if he could build a tool that could solve this problem (and his work on this prototype quickly discovered an issue at Slack). And as enterprises move from on-premises software to the cloud and to microservices and DevOps, the need for better DevSecOps tools is only increasing.
“The emphasis is to create a great developer experience,” Nahum noted. “Because that’s where we started from. We didn’t start as a top down cyber tool. We started as a modest DevOps friendly, developer-friendly tool.”
One interesting aspect of Spectral’s approach, which uses a machine learning model to detect these breaches across programming languages, is that it also scans public-facing systems. On the backend, Spectral integrates with tools like Travis, Jenkins, CircleCI, Webpack, Gatsby and Netlify, but it can also monitor Slack, npm, maven and log providers — tools that most companies don’t really think about when they think about threat modeling.
“Our solution prevents security breaches on a daily basis,” said Spectral co-founder and COO Idan Didi. “The pain points we’re addressing resonate strongly across every company developing software, because as they evolve from own-code to glue-code to no-code approaches they allow their developers to gain more speed, but they also add on significant amounts of risk. Spectral lets developers be more productive while keeping the company secure.”
The company was founded in mid-2020, but it already has about 15 employees and counts a number of large publicly-listed companies among its customers.
Enterprises have been loading more of their operations into cloud — and, more often than not, multi-cloud — environments over the last year, creating vast networks of services that can be complex to manage. Today, vArmour, a startup that provides ways to manage in real time and ultimately secure how applications (and people) work in those fragmented environments is announcing funding to capitalize on the demand for its services.
The Bay Area startup has picked up funding of $58 million in what it described as an oversubscribed round. Co-led by previous backers AllegisCyber Capital and NightDragon, existing investors Standard Chartered Ventures, Highland Capital Partners, Australian carrier Telstra, Redline Capital, and EDBI also participated.
CEO Tim Eades (who co-founded the company with Roger Lian) said this round is likely to be its final fundraising ahead of an IPO for the company.
“We had one hell of a year in 2020 with companies rushing to the cloud,” he said in an interview, with net new annual recurring revenue doubing year over year in the last year. It started out, he noted, with perhaps 10% of business processes in the cloud, and ended at more like 50%. “Now the focus for us is to get to the public markets, maybe in two or 2.5 years from now.”
The company appointed a CFO last October as part of its go-public plan, he noted — Chris Dentiste, who previously had been the CFO of RSA. “His job is to help me find the right window. My job is to make sure we have enough fuel in the tank, and we do,” said Eades.
He added that the company is likely also to look at making some acquisitions in the meantime. A recent launch of an AI lab in Calgary, Canada, points to one area where we might see some activity.
The company is not disclosing its valuation, although Eades confirmed it was a significant up-round. We’re also double checking what the total raised to date is now too (we’ll update when we get that information).
For some context, in the last round of funding that we covered — a $44 million round in 2019 led by the same two investors — we mentioned a PitchBook estimate of $420 million from the previous round — a figure that the company did not dispute with us at the time.
vArmour has been around for several years, with the first three spent in stealth mode, quietly building its technology, raising money and amassing early customers. Those customers, Eades said, fall into categories like telecommunications (strategic backer Telstra being one of them), and financial services.
Those industries speak largely to the challenges that vArmour is addressing in its business.
Legacy businesses in critical verticals often pre-date the modern era of business, and while many of them are going through what enterprise people like to refer to as “digital transformation”, the evolution is not a smooth one.
In many cases, adopting new technologies can be slow, and in almost every case, when you are talking about large enterprises, the changes are very piecemeal, affecting one particular service, or region, or department, or even a subsection of any of those.
All of this means that for malicious actors, there are a number of options to tackle when setting out to look for vulnerabilities in a business or its network, and for those on the inside, it makes for a very complicated and fragmented situation when it comes to monitoring those networks and the services running on them, finding vulnerabilities or suspicious activity, and doing something about that. VArmour’s term that it uses for this is “Application Relationship Management.”
Eades — whose background includes working for the likes of IBM but also leading number of startups acquired by bigger technology giants — has first-hand understanding of how that complexity looks from both sides, from the end user end and from the service provider end. That is in essence what his company has identified and is trying to fix.
Having started out in managing application policies and providing insights to protect on that front, the company is expanding the range of tools that it provides with the recent launch of identity access management on top of that.
But that is likely to be just one of the product steps that it takes to tackle what remains a difficult problem to fix, as its growth is related not just to the growth of activity on a network, but further digital migration of services, and the rise of new technology within an organization’s stack.
(And that is also an area that vArmour is not alone in considering, or even the only approach to tackling it: consider yesterday’s news of Palo Alto Networks acquiring Bridgecrew to extend its own ability to provide automated security monitoring services to DevOps teams.)
“Managing risk and resiliency in the hybrid cloud is one of the most significant security challenges for enterprises,” said Bob Ackerman, Founder and Managing Director at AllegisCyber Capital, in a statement. “vArmour’s platform provides the visibility, controls, and accountability necessary to actively manage these challenges and has done this for hundreds of customers. We are ecstatic to be part of their next stage of growth.”
“As applications become more complex, more distributed, and more targeted by attackers, the importance of full visibility into the relationships between applications becomes increasingly important.” added Dave DeWalt, founder of NightDragon. “vArmour’s approach to application relationship management ensures that enterprises of all sizes can continuously audit, respond, and control identity relationships to best protect their important IP, and mitigate risk to the business.”
The pandemic and the world’s big shift to doing (even) more online has put an unprecedented amount of pressure on cybersecurity. Now, it looks like one of the big public players in that space, Palo Alto Networks, has made an acquisition that will help it address that challenge, specifically with security tools designed for those working in DevOps to handle vast volumes of security data more efficiently.
According to our sources and reports, the company is acquiring Bridgecrew, a startup out of Israel that automates the process of network monitoring and security remediation by translating the feedback into code. Its tools are used by fast-scaling, internet-based businesses like Robinhood, BetterHelp and OneMain Financial.
The acquisition was first rumored earlier this month in Israeli press as a deal worth more than $100 million. Two sources confirmed the talks to us at the time but said the deal had not yet been closed. Then, a report this morning in Israel’s Calcalist said the acquisition is now valued at around $200 million, possibly more if you count earn-outs.
Sources close to the startup’s investors confirm to us that the papers have indeed now been signed on the deal, so expect an official announcement soon.
Spokespeople for both companies previously declined to comment on any deal when we asked earlier this month. We are reaching out to both again.
A $200 million price tag would represent a strong return for Bridgecrew and its investors.
The startup, backed by the likes of Battery Ventures, Operator Partners and more than a dozen others, has only raised around $18 million, including a Series A of $14 million last year. According to PitchBook data, Bridgecrew had a valuation of about $40 million at the time of that last round.
Cybersecurity — specifically the need for better and more sophisticated solutions in the face of an increasing amount of breaches in an ever-growing threat landscape — has seen an increasing focus for years. Indeed, it’s one of the rising tides that has lifted Palo Alto Networks’ boat.
But in the last year, the Covid-19 pandemic has brought more attention to cybersecurity and the need for more automation in it than ever before.
The reason is fairly obvious but is worth repeating: as more organizations migrate operations into distributed, digital-only, cloud-based environments, architectures have become more fragmented, complex and simply bigger and more of an exploitation target.
That’s presented a challenge for those provisioning security for these operations, and that has led to a new wave of companies over the last several years building automated solutions, merging DevOps with security monitoring.
“We founded Bridgecrew because we saw that there was a huge bottleneck in security engineering, in DevSecOps, and how engineers were running cloud infrastructure security,” Bridgecrew CEO and co-founder Idan Tendler told TechCrunch last year. Others in this wider space include PortShift (which was acquired by Cisco last year), Tines and many others.
Palo Alto Networks has also been building its own tools for DevOps security, namely with Prisma, which it introduced in 2019 and updated last year.
It’s not clear why Palo Alto would choose to supplement that with an outside acquisition, but it’s notable that Bridgecrew focuses on DevOps security specifically and it has seen a lot of traction in that area.
Its sweet spot appears to be customers who are building huge businesses themselves on cloud infrastructure and are using automation as part of bigger efforts to ensure better cybersecurity practices.
It counts customers like Databricks for its flagship Bridgecrew platform product, which provides security scanning and remediation in the form of code across a wide range of infrastructure environments. The company recently said that its customer base and monthly sign ups both tripled in the second half of last year.
It has also seen a lot of pick-up of Checkov, its open source infrastrcuture-as-code (IaC) scanner that it says works across cloud infrastructure in Terraform, Cloudformation, Kubernetes, Arm templates or Serverless Framework to detect misconfigurations.
Checkov passed a milestone of 1 million downloads last quarter, speaking to the company’s reputation and traction with the very customers that Palo Alto is looking to reach.
Notably, Bridgecrew says it’s working on other open source projects, so that could also be a focus for Palo Alto here.
Another takeaway from this news is how Israel continues to be fertile ground for hatching and growing cybersecurity businesses.
“Palo Alto Networks was established by Israeli founders, and Bridgecrew will be the seventh Israeli cybersecurity company acquired by Palo Alto in the recent years,” said Avihai Michaeli, a Tel Aviv-based senior investment banker and startup advisor.
We will update this story as we learn more.
Last week’s hours-long outage at online workspace startup Notion was caused by phishing complaints, according to the startup’s domain registrar.
Notion was offline for most of the morning on Friday, plunging its more than four million users into organization darkness because of what the company called a “very unusual DNS issue that occurred at the registry operator level.” With the company’s domain offline, users were unable to access their files, calendars, and documents.
We're experiencing a DNS issue, causing the site to not resolve for many users. We are actively looking into this issue.
— Notion Status (@NotionStatus) February 12, 2021
Notion registered its domain name
notion.so through Name.com, but all
.so domains are managed by Hexonet, a company that helps connect Sonic, the
.so top-level domain registry, with domain name registrars like Name.com.
That complex web of interdependence is in large part what led to the communications failure that resulted in Notion falling offline for hours.
In an email to TechCrunch, Name.com spokesperson Jared Ewy said: “Hexonet received complaints about user-generated Notion pages connected to phishing. They informed Name.com about these reports, but we were unable to independently confirm them. Per its policies, Hexonet placed a temporary hold on Notion’s domain.”
“Noting the impact of this action, all teams worked together to restore service to Notion and its users. All three teams are now partnering on new protocols to ensure this type of incident does not happen again. The Notion team and their avid followers were responsive and a pleasure to work with throughout. We thank everyone for their patience and understanding,” said Ewy.
There are several threads on Reddit discussing concerns about Notion being used to host phishing sites, and security researchers have shown examples of Notion used in active phishing campaigns. A Notion employee said almost a year ago that Notion would “soon” move its domain to
notion.com, which the company owns.
Notion’s outage is almost identical to what happened with Zoho in 2018, which like Notion, resorted to tweeting at its domain registrar after it blocked
zoho.com following complaints about phishing emails sent from Zoho-hosted email accounts.
It sounds like there’s no immediate danger of a repeat outage, but Notion did not return TechCrunch’s email over the weekend asking what it plans to do to prevent phishing on its platform in the future.
Notion, the online workspace startup that was last year valued at over $2 billion, was knocked offline after a DNS outage.
The collaborative online office and document service was not loading as of around 9 a.m. ET on Friday, preventing anyone who relies on the service from accessing their cloud-stored data.
In a since-deleted tweet, Notion asked if “any users have a contact at Name.com,” the web host that Notion relies on for its domain name. In a reply, Name.com said it was “working with the owners of this domain to address this issue as quickly as possible.” Notion replied: “Could you let us know where you’re messaging us to address this?”
The now-partially deleted tweet thread noting the apparent Notion outage. (Image: TechCrunch)
In a statement shortly after its first tweet went out, Notion told TechCrunch: “We’re experiencing a DNS issue, causing the site to not resolve for many users. We are actively looking into this issue, and will update you with more information as we receive it via our status page on Twitter.”
Notion didn’t say specifically what the DNS issue is. Domain name servers, or DNS, is an important part of how the internet works. Every time you go to visit a website, your browser uses a DNS server to convert web addresses to machine-readable IP addresses to locate where a web page is located on the internet. But if a website or its DNS server is not configured correctly, it can cause the website not to load.
It appears a misconfiguration on @NotionHQ’s domain is causing a site-wide outage
— Jane Manchun Wong (@wongmjane) February 12, 2021
It’s not clear exactly who is responsible for this particular DNS issue. When reached, a spokesperson for Name.com did not immediately comment, and Sonic.so, the Somali-based registrar that oversees the .so country-code top level domain on which Notion relies, did not return a request for comment.
We’ll update once we know more.
Read more on TechCrunch:
Our reliance on internet-based services is at an all-time high these days, and that’s brought a new focus on how well we are protected when we go online. Today comes some news from one of the bigger companies working in the area of password security, which points how business is shifting for the companies providing these tools.
Emmanuel Schalit, the co-founder of popular password manager Dashlane, is stepping down as CEO of the startup. He is being replaced by JD Sherman, the former COO of HubSpot, as Dashlane makes plans to move more aggressively to court more business users.
“This is about thinking about its next leg of our scaling strategy, more B2B monetization after being strong in B2C,” Sherman said in an interview, praising his predecessor’s growth of the consumer business and noting his realization that “B2B was not his forte.”
Sherman’s career focus, in contrast, has been all about B2B. Before his eight years at Hubspot, he was the CFO of Akamai (which, as a CDN, also had security as a focus, albeit in a completely different way), and before that IBM.
Since accepting the offer, Sherman (pictured right) has been quietly working with Schalit — who will no longer hold any operational role — to get up to speed and will be taking over formally at the start of February.
Sherman is based out of Boston and will eventually commute to Dashlane’s HQ in New York: eventually, because everyone is remote-working at the moment, with Sherman himself getting hired in a virtual process.
The changing of the guard comes at an interesting time for the startup. Dashlane now has 15 million users, up from 10 million+ in 2019. That was the same year that Dashlane announced two significant rounds of funding just six weeks apart from each other: first a $30 million round (which appeared to have some debt as part of it), then a $110 million Series D that valued the company at just over $500 million. Its backers include the likes of Sequoia, Bessemer, FirstMark, Rho Ventures and consumer credit reporting giant TransUnion.
Sherman would not talk about current valuation, nor where the company is currently standing regarding its next financial steps, except to say that it’s in a good place and to provide the smallest of hints of an IPO on the horizon.
“The Series D was a healthy round for a subscription business,” he said. “Right now, cashflow is solid and we have the funding we need for our growth, so there is no urgent plan to raise money. When we do, we’ll see if it is an IPO round” — that is, the last round before an IPO — “or not. To me, it’s all about growing the business.”
My guess: that valuation has gone up, given the boost in user numbers, the growth of its enterprise business and the huge shifts in the market in the last year that have put a spotlight on companies that are making using the internet safer. (Also, note that Logmein, which owns competitor LastPass, was picked up by PE firms for about $4.3 billion in a deal that completed last year.)
Dashlane was founded focused primarily on providing password management tools for consumers. These still account for the majority of its users, but the Series D funding was in part to fuel a bigger push into the business market, and to generally get on the radar of more people.
The expansion into business users was a natural move in more ways than one. First, the consumer service is designed as a freemium offering, while businesses provide a more steady and guaranteed revenue stream. Second, there is a natural progression that comes from being a happy consumer user: you might want to have the same service for your online work life, too. That remains the strategy for Sherman.
“The plan is to have two sides to the business,” he said, using the well-worn consumer-to-business analogy of a flywheel to describe how it will work: “The more who use it, more businesses will start to adopt it and get comfortable with using a password manager.”
That strategy is lately getting a major fillip, in the form of the massive boost in online activity in the past year.
Activities like taking care of all your shopping, entertainment, social and work-related needs have all moved online in the last year, pushed into the virtual sphere by the emergence and persistent presence of the easily contagious and dangerous Covid-19 virus.
Some of that shift has worked out better than many thought it would, and now, some believe that even when the pandemic does get under control, a lot of us will still be using the internet to get all of those things done on a regular basis.
But while I’ve heard a lot of industry people describe that situation as “the genie is out of the bottle”, perhaps a more fitting expression might be that Pandora’s box has been opened. That is to say, the increased online usage has created an alarmingly large opportunity for malicious hacking, security breaches and misuse of our online identities.
This consequently has a pretty direct link back to Dashlane.
Password protection is one of the most important elements of keeping yourself and your information safe online, with, weak, stolen and reused passwords some of the biggest causes of security breaches both for consumers and businesses (by some estimates, you can track 80-90% of all security breaches back to password issues).
Beyond that, not least because of all the breaches we’ve now seen, the current market has become much more concerned about privacy and security (a trend manifesting in all kinds of ways), and that has bred a lot more awareness and appetite for the kinds of tools that Dashlane, and other companies that enable better online security, provide.
There will likely continue to be developments in the technology to both suss out bad actors and block them in their tracks when they do try to enter networks, and the technology sold to organizations to keep their and their customers’ information in the cloud in more secure ways will also be improved. But above and beyond all that, password managers are likely to continue to play a role in the mix.
Password managers may not always be a perfect solution — there have been a few cases of breaches over the years, and while they have not been in recent times, security researchers at the University of York in May 2020 identified vulnerabilities that could potentially be exploited — but they remain a relatively easy option for end users themselves to be more proactive in protecting their identities specifically by building a better way to guard their passwords. (Among all that, it’s also worth pointing out that Dashlane has never had a breach in its 10+ years of operations.)
And there are a number of routes to providing password management, including efforts from platform players themselves and more direct Dashlane competitors like 1Password and LastPass. Notably, some of the efforts to bridge some of that together, such as the “OpenYolo” project spearheaded by Google and Dashlane, have stalled over the years, in part because of the complexity of implementing it with other existing managers.
But even within that fragmented, competitive and (still at times) vulnerable market, Dashlane still has a lot of opportunities for growth.
“The business is strong and growing,” Sherman said. “The craziness around Covid and remote networking have raised the profile of password management and security in general. It’s a more difficult environment, but there is a tailwind there.”
Web infrastructure company Cloudflare is releasing a new tool today that aims to provide a way for health agencies and organizations globally tasked with rolling out COVID-19 vaccines to maintain a fair, equitable and transparent digital queue – completely free of charge. The company’s ‘Project Fair Shot’ initiative will make its new Cloudflare Waiting Room offering free to any organization that qualifies, essentially providing a way from future vaccine recipients to register and gain access to a clear and constantly-updated view of where they are in line to receive the preventative treatment.
“The wife of one of Cloudflare’s executives in our Austin was trying to register her parents for the COVID-19 vaccine program there,” explained Cloudflare CEO Matthew Prince via email. “The registration site kept crashing. She said to her husband: why doesn’t Cloudflare build a queuing feature to help vaccine sites? As it happened, we had exactly such a feature under development and scheduled to be launched in early February.”
After realizing the urgency of the need for something like this tool to help alleviate the many infrastructure challenges that come up when you’re trying to vaccinate a global population against a viral threat as quickly as possible, Cloudflare changed their release timetable and devoted additional resources to the project.
“We talked to the team about moving up the scheduled launch of our Waiting Room feature,” Prince added. “They worked around the clock because they recognized how important helping with vaccine delivery was. These are the sorts of projects that really drive our team: when we can use our technical expertise and infrastructure to solve problems with broad, positive impact.”
On the technical side, Cloudflare Waiting Room is simple to implement, according to the company, and can be added to any registration website built on the company’s existing content delivery network without any engineering or coding knowledge required. Visitors to the site can register and will receive a confirmation that they’re in line, and then will receive a follow-up directing them to a sign-up page for the organization administering their vaccine when it’s their turn. Further configuration options allow Waiting Room operators to offer wait time estimates to registrants, as well as provide additional alerts when their turn is nearing (though that functionality is coming in a future update).
As Prince mentioned, Waiting Room was already on Cloudflare’s project roadmap, and was actually intended for other high-demand, limited supply allocation items: Think must-have concert tickets, or the latest hot sneaker release. But the Fair Shot program will provide it totally free to those organizations that need it, whereas that would’ve been a commercial product. Interested parties can sign up at Cloudflare’s registration page to get on the waitlist for availability.
“With Project Fair Shot we stand ready to help ensure everyone who is eligible can get equitable access to the COVID-19 vaccines and we, along with the rest of humanity, look forward to putting this disease behind us,” Prince explained.
All change in the capital as the Biden administration takes charge, and thankfully without a hitch (or violence) after the attempted insurrection two weeks earlier.
In this week’s Decrypted, we look at the ongoing fallout from the SolarWinds breach and who the incoming president wants to lead the path to recovery. Plus, the news in brief.
The cyberattack against SolarWinds, an ongoing espionage campaign already blamed on Russia, claimed the U.S. Bureau of Labor Statistics as another federal victim this week. The attack also hit cybersecurity company Malwarebytes, the company’s chief executive confirmed. Marcin Kleczynski said in a blog post that attackers gained access to a “limited” number of internal company emails. It was the same attackers as SolarWinds but using a different intrusion route. It’s now the third security company known to have been targeted by the same Russian hackers after a successful intrusion at FireEye and an unsuccessful attempt at CrowdStrike.
Today, I disclosed publicly that @Malwarebytes had been targeted by the same nation state actor that attacked SolarWinds. This attack is much broader than SolarWinds and I expect more companies will come forward soon.
— Marcin Kleczynski (@mkleczynski) January 19, 2021
Three of the leading exam proctoring companies are facing calls to be more transparent, amid continued claims of bias by students forced to take remote exams because of the ongoing pandemic.
Exam proctoring tech lets students take remotely invigilated tests from home. Students are told to install their university’s choice of proctoring software, which allows the exam monitor deep access to the student’s computer, including their webcams and microphones, to monitor their activity to spot potential cheating.
But companies like Proctorio, ExamSoft and ProctorU have faced a barrage of criticism from students who say that their proctoring technology is fraught with problems, including issues of bias — all of which could impact their test results.
Chief among the complaints are that their proctoring software cannot recognize faces with darker skin tones or religious headgear, and discriminates against students with disabilities and those in lower-income areas who may not have the internet speeds to meet the standards of the test-taking tech.
Several U.S. Democratic senators sent Proctorio, ExamSoft and ProctorU letters in December calling on the companies to explain their technology and policies better. In their responses seen by TechCrunch, the companies rejected claims of discrimination and all said that it’s up to the teachers to decide whether a student has cheated, not the companies themselves.
But lawmakers say that the companies are not transparent enough, and worry teachers could be making decisions about a student’s conduct based on little more than what the technology tells them.
“Proctorio, ExamSoft and ProctorU claim they don’t have problems with bias, yet alarming reports from students tell a different story,” Sen. Richard Blumenthal (D-CT) told TechCrunch. “These responses from the companies are only the first step in learning more about how they operate, but much more transparency is needed into the systems that have the power to accuse students of cheating. I will work on every fix necessary to ensure students are protected.”
We sent the companies several questions. ProctorU’s chief executive Scott McFarland declined to comment citing the holiday weekend. Proctorio and ExamSoft did not respond.