Online back-up company Carbonite has warned customers it’s resetting all user log-ins after discovering a number of unauthorized attempts to access accounts via potentially compromised and reused credentials.
The firm moved quickly to reassure customers that its own systems had not been compromised, adding:
“This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.”
User names, passwords and, for some accounts, personal information, appears to have been involved, Carbonite continued.
As a result, the firm said users will receive an email in the next few days asking them to reset passwords, which it recommended be strong and use unique credentials. It also suggested they reset any passwords used for other online services if they are the same or similar to the ones used for Carbonite.
To help customers spot phishing emails, Carbonite urged them to check the sender’s email address is carbonite@cloud.carbonite.com. It added that the URL if they click through should be account.carbonite.com and that it won’t request them to download or execute any executables.
However, users were quick to complain in the comments section that the password reset email still appeared dubious.
In response, the firm said it had put a banner on its homepage alerting users of the changes and posted the same message to social media channels.
The incident underscores the importance of users avoiding password reuse, as it improves success rates for brute force attacks, according to Imperva security researcher, Nadav Avital.
“The popularity of this attack is on the rise since it is fairly simple; it requires minimal resources from the attacker and there are lots of leaked credentials to work with,” he argued. “There are plenty of tools out there, including advanced ones that can mask the attacker’s identity through TOR, rotating the user-agent string and more.”
These types of attack also place an “intense load” on the authentication server of the attacked site, and can severely disrupt operations by leading to users being locked out of their accounts if safety procedures kick in, Avital added.
“Sadly, most sites lack the proper security measures to stop these attacks,” he concluded. “A proper mitigation must provide account takeover solutions such as detection of stolen passwords usage, detection of automated tools (bots) and detection of account access from malicious device.”
The incident also highlights the need for two-factor authentication, which would have overcome these issues, although some users find the process adds extra friction to the log-in process.