Online Backup Firm Targeted by Reused Password Attack

reused-password-carboniteCloud-based backup solutions provider, Carbonite, recently notified its users following a discovery of unauthorized attempts to penetrate an undisclosed number of accounts in a security bulletin on Tuesday, June 21. The statement reads, “This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.”

The company claims that no evidence have been uncovered during its investigations that point to a breach or a compromise. In its efforts to mitigate risks brought by the suspicious activity, the company issued notifications to its 1.5 million active users of individuals and small businesses forcing a password reset. The notice says that affected usernames and passwords have been determined, some of which may have personal information exposed. However, the incident led to a decision to reset all users registered to the backup firm.

The news of the reused password attack was heavily linked to the surfacing of user information in the cybercriminal underground. In the past month or so, over 700 million stolen credentials have emerged after a string of social networking sites has been uncovered to be victims of breaches that date to as old as 2012 and 2013.

[More: Spate of Mega-Breaches Pushes FBI to Issue User Warning]

The millions of credentials unearthed from the separate breaches at LinkedIn, MySpace, Tumblr, and VK, are believed to be the source of the recently-discovered line of reused password attacks. Carbonite joins several organizations seen to have been hit by this kind of attack including Github, and Citrix’s GoToMyPc. It goes without saying that while the said breaches have taken place a number of years ago, many of the compromised credentials remain to be valid—which, for security analysts, reflects the current state of user regard for a proper “password hygiene.”

“In addition to our existing monitoring practices, we will be rolling out additional security measures to protect your account, including increased security review and two-factor authentication (which we strongly encourage all customers to use),” the company reassures its client-base.

However, the password reset instructions delivered to all Carbonite customers have gained heat from security experts and customers alike. A number of users were not as receptive to the said emails as they were described to be similar to the type of messages cybercriminals would send out in their phishing campaigns to steal personal information.

Apart from this, the “password reset mechanism” that the company designed does not ask its users to give any form of verification of its current password before going on to create a new one. The suspicion, for several users, worsens as resetting the said passwords were not done on the official Carbonite website. In the past, a different organization, LogMeIn, gained similar reactions from users who received emails instructing a forced password reset as the links provided were said to lead users to suspicious domains. Carbonite then took to social media to tell users that the emails sent out were legitimate, along with in-depth instructions on how to determine if these email received were in fact from the company.

The firm also reminded its users to use “strong” unique passwords so as to thwart easy access to cybercriminals. Carbonite also discouraged the use of same or similar passwords on other online services as this is considered a poor security practice.

Around the end of May, Microsoft took the initiative to ban passwords that are commonly found in breach lists. While flak was also given by several users and industry insiders to this directive, the company clears out that the move was simply made to harness and develop a keen regard for “password policies”. Microsoft noted that password length requirements and “complexity” requirements and regular, periodic password expiration were no longer sufficient to keep attackers and information thieves at bay. In fact, these make cracking passwords easier for cybercriminals. As Microsoft's ID protection team member Robyn Hicock said, “People react in predictable ways when confronted with similar sets of restraints–which exacerbates users' irritating tendency to pick bad passwords, and re-use passwords.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.