Avatier has fixed a vulnerability regarding weak social engineered questions, however, you are NOT AT RISK if you require additional authentication, like Avatier SMS, email One Time Passcode (OTP), or any Avatier supported third-party MFA provider.
WHAT TO DO:
Avatier has a hotfix. Contact Avatier Support for an upgrade of your production systems or you can download the hotfix yourself here. If you are not able to immediately apply the hotfix, take these steps now:
1) Set your system to lock out users after one failed security question attempt for now until the hotfix can be applied.
2) Turn on notifications to alert your security desk on when a user is unenrolled from password reset
3) To find out which accounts may be under attack, run a “Failures While Answering Question” report
4) Avatier has opened a incident with the FBI to catch the hackers. Contact Avatier for sharing your transaction logs
5) Avatier cloud users are not affected and were being upgraded immediately