Carbonite Triggers Password Reset for 1.5M Customers After Reuse Attack

Online backup firm Carbonite is forcing all of its 1.5 million users to change their passwords after reporting it was targeted in a password reuse attack.

Online backup firm Carbonite is forcing all of its 1.5 million users to change their passwords after reporting that accounts was targeted in a password reuse attack. According to a statement issued by Carbonite on Tuesday hackers were attempting to break into user accounts using stolen credentials. In some cases, personal information may have been exposed, Carbonite wrote in a blog post.

The mandatory password reset by Carbonite is just the latest in a long string of online companies such as Citrix’s GoToMyPC, TeamViewer, Twitter, Github, Tumbler, iMesh and LinkedIn that have also recently forced their customers to reset their passwords. Security experts say each of these firms have suffered from password reuse attacks tied to recent revelations of massive credential losses from mega-breaches at LinkedIn, Tumblr, VK.com, Fling and MySpace.

“While we will continue to monitor and investigate the matter, we have determined that usernames and passwords are involved. Additionally, for some accounts, other personal information may have been exposed,” the statement read.

Affected are Mac and Windows Carbonite Personal and Carbonite Pro customers along with Carbonite Server Backup and MailStore users.

Along with forcing a password reset, Carbonite is urging its customers to replace old passwords with complex passwords and when possible use two-factor authentication (2FA) to protect accounts. However, at this time Carbonite does not offer 2FA as a default option.

Password reuse attacks are not new. But since May, when it was revealed that more than 164 million LinkedIn credentials were for sale on the black market, there have been back-to-back reports of similar breaches totaling more than 642 million user names and passwords that have been spotted for sale on the dark web.

One of the affected sites, MySpace, for example was initially hacked in 2008 but it wasn’t until late May that information leaked on 360 million of its users, including their email addresses and the unsalted SHA-1 hashes of the first 10 characters of their passwords, was sold publicly online. Just two weeks prior to the MySpace breach revelation information on 164 million LinkedIn users, including email addresses and passwords stored as SHA-1 hashes without salt, were exposed.

Data from large breaches has been available for some time, said Orlando Scott-Cowley, cybersecurity strategist at email security firm Mimecast in an interview regarding last week’s GoToMyPC password reset.

“It’s a good bet that these massive stolen user credential databases are being crossed reference on the dark web,” he said. Each one of these stolen accounts might not be worth much alone, he said. But together many seemingly disparate user accounts can come together and create a complete user profile for hacking into high-value accounts, Scott-Cowley said.

Suggested articles

Discussion

  • Irene Davis on

    I updated carbonite about a week ago and have been worried it was a scam request. Am I safe?
  • Nathan Pinkerton on

    Common security practice is to teach users not to click links in email. I wish that Carbonite (and others in this situation) would instruct users to visit their website manually, and perform the reset from there, rather than only providing a link in the email. HTTP links are fairly reliable, in a web browser, for people who know to look down at the status bar... but in an email client, they are nearly completely devoid of any indication of where they actually link. Email links are astoundingly easy to obfuscate, and should never be trusted. Thankfully, this was not like the Dropbox fiasco 4 years ago, that forced me to finally resort to clicking on (and reassuring the people in my circle of friends and family that it was OK to click on) a link in email. Thankfully I was able to go to Carbonite's website and reset my password from there, without clicking a link in an unsolicited email... I just wish that the initial unsolicited email would have requested that action, rather than only providing a link in said email.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.