Reused Password Attacks Rise Following String of Mega-Breaches

reused-passwordsIn a security message dated Sunday, June 19, the GoToMyPC team of multinational software company Citrix notified its valued customers of a “sophisticated password attack” that requires the immediate resetting of all customer passwords. This stemmed from a security issue identified and duly reported the day before, where users were said to have difficulty logging into accounts. Users were then advised to reset passwords through the Forgot Password link found in the site.

Following this apology, on June 20, the team then divulged more details of the attack from their analysis. As such, John Bennett, product line director of Citrix noted in a statement, “Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users. Further, there is no indication of compromise to any other Citrix product line."

The note highlighted that no sensitive customer information like credit card information has been clawed out of its systems. Aside from the mandatory password reset, the company also highly encouraged enabling two-factor authentication to foster an even tighter defensive stance following this incident.

Almost at the same time last week, on Tuesday, June 14, popular code-storing platform Github noticed a similar instance of a number of suspicious, unauthorized attempts to gain access into its accounts. The web-based Git repository hosting service is available to 14 million users.

In an online statement, Shawn Davenport, vice president of security said, “On Tuesday evening PST, we became aware of unauthorized attempts to access a large number of accounts. This appears to be the result of an attacker using lists of email addresses and passwords from other online services that have been compromised in the past, and trying them on GitHub accounts. We immediately began investigating, and found that the attacker had been able to log in to a number of GitHub accounts.”

With this confirmation, Davenport furthered that apart from the usernames and passwords, “listings of accessible repositories and organizations” of affected accounts may have been exposed to the perpetrators. Given this discovery, the company notes that it is in the process of notifying affected.

Similar to Citrix’s GoToMyPC service, Github has highly recommended users to practice good password hygiene. Apart from this, two-factor authentication was also deemed effective in creating an extra layer of protection in a user’s account.

While the source of combinations used to attempt entry to the said website services, security experts and analysts are quick to reference back to the recent spate of mega breaches that affected account information of social networking sites.

Early in June, a hacker under the moniker of “Peace” claimed ownership for the massive data dumps that made troves of stolen credentials from Tumblr, LinkedIn, Fling, Myspace available in the cybercriminal underground. Shortly after, Russian social network site,, joined the long line of breached sites whose data are now up for grabs in the underground.

[Read: A rundown of the recently-reported “mega-breaches”]

In total, the acquired stolen credentials reach over 642 million from breaches that date more than three years ago. Security experts note that there has been a ballooning number of attempted logins in different websites and online platforms after these “historical hacks” came to public consciousness—ultimately raising the dangers of unauthorized logins.

Before May drew to a close, Microsoft issued a directive that bans passwords that have appeared in recent breach list, or those that are too common in an attackers’ login attempts to gain entry—a move that is currently in effect to Azure Active Directory’s over 10 million users.

This gathered heat from security researchers and industry insiders, though. In a statement, Brian Spector, CEO of MIRACL shared, “When companies like Microsoft ban certain passwords or ask the consumer to create stronger passwords they are essentially shifting the burden on the consumer because they have no better idea on what to do with the password issue.” He adds, "There are better alternatives to eliminate the need for username and password convention."

However, Microsoft stands by its point, stating that the move was made to shake up users’ manners of thinking about password policies. According to the company, password length requirements, password “complexity” requirements and regular, periodic password expiration are no longer sufficient. In fact, these make cracking passwords a lot less tasking for cybercriminals. That said, Microsoft's ID protection team member Robyn Hicock highlights, “People react in predictable ways when confronted with similar sets of restraints–which exacerbates users' irritating tendency to pick bad passwords, and re-use passwords.”


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.