Online backup firm Carbonite is forcing all of its 1.5 million users to change their passwords after reporting that accounts was targeted in a password reuse attack. According to a statement issued by Carbonite on Tuesday hackers were attempting to break into user accounts using stolen credentials. In some cases, personal information may have been exposed, Carbonite wrote in a blog post.
The mandatory password reset by Carbonite is just the latest in a long string of online companies such as Citrix’s GoToMyPC, TeamViewer, Twitter, Github, Tumbler, iMesh and LinkedIn that have also recently forced their customers to reset their passwords. Security experts say each of these firms have suffered from password reuse attacks tied to recent revelations of massive credential losses from mega-breaches at LinkedIn, Tumblr, VK.com, Fling and MySpace.
“While we will continue to monitor and investigate the matter, we have determined that usernames and passwords are involved. Additionally, for some accounts, other personal information may have been exposed,” the statement read.
Affected are Mac and Windows Carbonite Personal and Carbonite Pro customers along with Carbonite Server Backup and MailStore users.
Along with forcing a password reset, Carbonite is urging its customers to replace old passwords with complex passwords and when possible use two-factor authentication (2FA) to protect accounts. However, at this time Carbonite does not offer 2FA as a default option.
Password reuse attacks are not new. But since May, when it was revealed that more than 164 million LinkedIn credentials were for sale on the black market, there have been back-to-back reports of similar breaches totaling more than 642 million user names and passwords that have been spotted for sale on the dark web.
One of the affected sites, MySpace, for example was initially hacked in 2008 but it wasn’t until late May that information leaked on 360 million of its users, including their email addresses and the unsalted SHA-1 hashes of the first 10 characters of their passwords, was sold publicly online. Just two weeks prior to the MySpace breach revelation information on 164 million LinkedIn users, including email addresses and passwords stored as SHA-1 hashes without salt, were exposed.
Data from large breaches has been available for some time, said Orlando Scott-Cowley, cybersecurity strategist at email security firm Mimecast in an interview regarding last week’s GoToMyPC password reset.
“It’s a good bet that these massive stolen user credential databases are being crossed reference on the dark web,” he said. Each one of these stolen accounts might not be worth much alone, he said. But together many seemingly disparate user accounts can come together and create a complete user profile for hacking into high-value accounts, Scott-Cowley said.