Online backup firm Carbonite tells users to change their passwords now

Never use the same password for multiple sites.

Carbonite

Online backup company Carbonite is the latest firm to have issued a warning that hackers are attempting to break into its users accounts, and are prompting all users to change their passwords as a result.

An email has been sent to Carbonite users explaining that the attackers are thought to be using passwords gleaned from other recent mega-breaches.

Carbonite email

Part of the email reads as follows:

As part of our ongoing security monitoring, we recently became aware of unauthorized attempts to access a number of Carbonite accounts. This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.

Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised.

To ensure the protection of all our customers and the safety of their data, we are requiring all Carbonite customers to reset their login information.

Nobody is keen for a hacker to break into their online accounts, but it's especially important when what's being protected by your account is your computer backup. If a hacker were able to gain access to your online backup they could - in theory - make a copy of every file on your hard drive, including those you may have thought were erased long ago.

There are instructions in the Carbonite knowledgebase explaining how users can change their passwords.

But don't stop there. Once you've changed your Carbonite password, you should also ensure that you have created new passwords for any *other* site where you might be reusing the same passwords.

Your best defence to protect against password reuse attacks is so simple it beggars belief that more people don't deploy it: stop reusing passwords. Always use different passwords for different websites.

And if you think that your puny human brain can't remember lots of different, hard-to-crack passwords then you're in the same boat as me. Get a password manager to do the job for you.

The company says that it will be rolling out additional security measures to protect accounts, including two-factor authentication (2FA).

There are a lot of web services that already offer two-step verification (2SV) or two-factor authentication to help users harden their accounts.

Here are some links which will help you better protect yourself online.

Tags: , ,

Smashing Security audio podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

Subscribe to the free GCHQ newsletter

, ,

15 Responses

  1. Bob Frank

    June 21, 2016 at 9:58 pm #

    Don't you think it is horrible practice for a security sensitive site like Carbonite to have us click on an update in en email from them to change our password? They should have asked us to log onto their site and had a secure method to update the password from there. How can I tel the difference between phishing and this type of update without having to spend a lot of time making sure it is okay? How do I know if the email I got has been hacked somehow and that the links in in are not being keylogged or something like that. Not good in my opinion. I am going to go on Carbonite's site and ask them how to do the update from there.

    • Graham Cluley in reply to Bob Frank.

      June 21, 2016 at 10:13 pm #

      I tend to agree Bob. It's all too easy for opportunist phishers to take advantage of an incident like this, and create emails that lead to bogus websites. Hopefully Carbonite and its customers will keep their eye open for that.

      Although there's some sensible advice in Carbonite's email, I think companies in their position would do better to offer a full link (in other words, https://www.example.com/reset-password rather than using any HTML shenanigans) or advise customers to simply visit their site as normal and click on the "Forgot password" link. Indeed, that's what Carbonite seems to be suggesting to customers who don't wish to click on the link in the email: https://support.carbonite.com/articles/Password-Reset-Email-Instructions

      • coyote in reply to Graham Cluley.

        June 21, 2016 at 11:54 pm #

        Of course it should tell them to go to the website. After all, many URLs look scarily accurate to what they are pretending to be. Then you consider that the look itself isn't the only problem (or method) when it comes to tricking users. But it's worse, isn't it?

        Sadly most organisations will continue to get this wrong and worse is it's so tempting to click on a link; that is another complication: in general links in email are for convenience (no need to go here, click next and then click next one more time when instead you can click on a single link taking you directly to the location). This is true regardless of the nature of the email (or reason for it). And I seem to think that even if you send mail in text (as I do at least on the accounts I have remembered to change the default in Thunderbird) if the client interprets it then it's made into a link. Even if it isn't turned into a hyperlink you can copy and paste the link instead. Of course there is also the problem of making a typo (hence typosquatting)…

        All of these reasons (and others not listed) complicates things, conditions people into not following the best practise and therefore more vulnerable to phishing. So yes it'd be good if they say to go to their website but I think this is most of the time asking for too much and in any case there are no real solutions to this problem.

  2. IT Technician

    June 21, 2016 at 11:22 pm #

    You be the judge. Here is my chat:
    (14:21:00) A secure encrypted SSL connection has been established.
    (14:21:03) Your support representative will be with you shortly. This session may be recorded for quality assurance.
    (14:21:03) By continuing to use this application (which includes but not limited to, granting access to and/or viewing of your computer) you are agreeing to the following: Full Terms & Conditions
    (14:21:04) This session has been transferred to Jessica.
    (14:21:05) You are now chatting with Jessica.
    (14:21:18) Jessica said to you:
    Good evening ***** and thank you for contacting Carbonite! One moment please while I bring up your information.
    (14:21:46) You said to Jessica:
    I am an IT Technician for *************. Who gave you authorization to change our password to the admin account??
    (14:22:01) Jessica said to you:
    We did a mass password reset this afternoon for all of our customers and each customer should be receiving an email soon asking them to set up a new password. Our security systems detected that a third party was attempting to access customer accounts using emails and passwords obtained elsewhere so we decided to take some preemptive action against it.
    (14:22:24) You said to Jessica:
    You failed to answer the question
    (14:22:56) Jessica said to you:
    We did not change any password, we disabled the current ones.
    (14:23:10) You said to Jessica:
    you do not have that authority
    (14:23:47) You said to Jessica:
    For your protection and the safety of your data, we have reset the password on your account. To access your account, you must choose a new, secure password.
    (14:24:00) You said to Jessica:
    This action is being taken proactively and at this time there is no evidence to indicate that your account or data have been compromised. Your backups are safe and your regular backup schedule will continue
    (14:24:58) You said to Jessica:
    I will ask again, who gave you the authority??
    (14:26:02) Jessica said to you:
    As a Carbonite customer it is our imperative to make sure that your data is secure at all times by any means necessary, including requesting password resets when a potential breach of data security is detected. This was not done maliciously, it was done to protect your data. I apologize that you are inconvenience by this, but we reset 100% of our user's passwords, not just you.
    (14:28:43) You said to Jessica:
    If you want to enforce a policy, you do that from a login screen with a prompt notification, that is BASIC computer security. A company that decides for themselves to reset the password for the entire database of users is a company that has failed to properly secure and provide for customer needs and usage.
    (14:29:50) Jessica said to you:
    If you would like to bring this up to the correct team, I would recommend that you email either privacy@carbonite.com or legal@carbonite.com. I am only technical support, I do not decide when passwords get reset or if they do and have no say in what happens then.
    (14:29:55) You said to Jessica:
    I have never had a company send me an email that THEY changed a password and you need to click this link to reset the password, except when someone is trying a phishing scam on a user!!
    (14:31:10) You said to Jessica:
    Then once again WHO GAVE YOU THE AUTHORITY. I have tried to call but I guess you opened a shit storm by changing the password of the entire user account database!!
    (14:33:56) Jessica said to you:
    Our senior management decided that this was the best course of action to ensure account security. Again, I have no say in this and you are more than welcome to send an email to privacy@carbonite.com or legal@carbonite.com with your concerns.

    • Graham Cluley in reply to IT Technician.

      June 21, 2016 at 11:57 pm #

      To be honest, I feel sorry for Jessica…

      • Anthony in reply to Graham Cluley.

        June 22, 2016 at 2:11 pm #

        Me too considering the fact she wasn't the one who reset the password. When you sign up for a service, you sign up on their terms. If you don't like their terms, you find someone else.

    • Terrance James in reply to IT Technician.

      June 22, 2016 at 7:52 am #

      I think it's a pretty classy move to censor your own information and not that of the person who was trying to help you, despite the fact that she obviously had no power in the decision making process.

      Berating her with questions that were asinine obviously displays your intelligence and superior intellect. Congrats.. you really gave her what for!

      I oftentimes visit my local police station to ask them why Congress passes laws which I don't agree with. I feel this is an effective method for change.

      I have no doubt that you will be receiving a heartfelt apology tomorrow from Carbonite's CEO. Perhaps also a free year of service for your extreme inconvenience having to update your password. If only they had left your account vulnerable to attack, this unfortunate incident may never have occurred.

      • Notes in reply to Terrance James.

        June 22, 2016 at 12:54 pm #

        https://krebsonsecurity.com/2016/06/citing-attack-gotomypc-resets-all-passwords/

  3. Bob

    June 22, 2016 at 11:09 am #

    Why are people who care about security even using Carbonite?

    If you want true, zero-knowledge, security then you must manage your password/keys yourself. If you're the only person who knows your password then you're the only one who can change it. It should go without saying that with a zero-knowledge service that, if you forget your password, you can kiss goodbye to your data.

    Tresorit or Spideroak are two well-respected zero-knowledge services.

    • Terrance James in reply to Bob.

      June 22, 2016 at 3:07 pm #

      More security is always a good thing, though it doesn't matter how many people know your pw if you use the same pw across multiple accounts. It only takes the weakest account to get hacked.

      I have a carbonite account (which does allow for me to manage my own encryption key) and got the same email, went to the site and changed my pw without issue. I already knew using the same pw across accounts was a bad idea, though tbh I was doing it anyway out of laziness.

      The experience has led me to take Graham's advice and invest in a pw manager.

      • Bob in reply to Terrance James.

        June 22, 2016 at 10:40 pm #

        Unfortunately Carbonite's security doesn't quite add up compared to true zero-knowledge services.

        It's better than nothing but is designed mainly as a tick in the box for American HIPAA requirements.

        In your case the password you changed will be for your account and not your data. Choosing a strong, unique password is a good idea but make sure you keep a secure backup of the password manager's database!

        Two open source (and free), trusted, vetted password managers are:

        KeePass (http://keepass.info/)
        Password Safe (https://pwsafe.org/)

  4. btblue

    June 22, 2016 at 11:49 am #

    The other frustrating thing is that it's been almost 12 hours since I followed their instructions and slicked the "forgot my password" link — which should generate a message to my e-mail address telling me how to establish my new password. And I followed that up (after an hour) with an hours wait in a chat queue to talk to a customer service rep whose only response was to say that it would take several hours for the message to be sent–but he'd send another one now. Well, there's nothing in my mailbox–I suspect that they're overwhelmed after not thinking this through. Fortunately, there's nothing mission-critical in my back-up, I use it to back up my genealogy files so I can get access from other computers when I travel. I do think I'll do a home back-up with my big flash drive, just in case.

    • -cgfgefg in reply to btblue.

      June 22, 2016 at 7:32 pm #

      You should be making local backups anyway. never put all your eggs in one basket.

      • Bob in reply to -cgfgefg.

        June 23, 2016 at 11:41 am #

        @btblue

        Why the 3-2-1 backup rule STILL makes sense

        http://windowsitpro.com/blog/why-3-2-1-backup-rule-still-makes-sense

  5. Kate Parker

    June 27, 2016 at 7:06 pm #

    I agree with Bob Frank. Sending a click on me email to secure the compromised Carbonite site is such a classic, that Carbonite should easily know to do better by their customers than to use the bad-guy's most frequent strategy. We tell clients not to click on email like these, all day, most days.

Leave a Reply