Online backup company Carbonite is the latest firm to have issued a warning that hackers are attempting to break into its users accounts, and are prompting all users to change their passwords as a result.
An email has been sent to Carbonite users explaining that the attackers are thought to be using passwords gleaned from other recent mega-breaches.
Part of the email reads as follows:
As part of our ongoing security monitoring, we recently became aware of unauthorized attempts to access a number of Carbonite accounts. This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.
Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised.
To ensure the protection of all our customers and the safety of their data, we are requiring all Carbonite customers to reset their login information.
Nobody is keen for a hacker to break into their online accounts, but it’s especially important when what’s being protected by your account is your computer backup. If a hacker were able to gain access to your online backup they could – in theory – make a copy of every file on your hard drive, including those you may have thought were erased long ago.
There are instructions in the Carbonite knowledgebase explaining how users can change their passwords.
But don’t stop there. Once you’ve changed your Carbonite password, you should also ensure that you have created new passwords for any *other* site where you might be reusing the same passwords.
Your best defence to protect against password reuse attacks is so simple it beggars belief that more people don’t deploy it: stop reusing passwords. Always use different passwords for different websites.
And if you think that your puny human brain can’t remember lots of different, hard-to-crack passwords then you’re in the same boat as me. Get a password manager to do the job for you.
The company says that it will be rolling out additional security measures to protect accounts, including two-factor authentication (2FA).
There are a lot of web services that already offer two-step verification (2SV) or two-factor authentication to help users harden their accounts.
Here are some links which will help you better protect yourself online.
Read more about 2SV
- Two-factor authentication (2FA) versus two-step verification (2SV)
- How to better protect your Facebook account from hackers
- How to better protect your Twitter account from hackers
- How to enable two-step verification (2SV) on your WhatsApp Account
- How to protect your Amazon account with two-step verification (2SV)
- How to better protect your Google account with two-step Verification (2SV)
- How to protect your Dropbox account with two-step verification (2SV)
- How to protect your Office 365 users with multi-factor authentication
- How to protect your Microsoft account with two-step verification (2SV)
- How to better protect your Tumblr account from hackers with 2SV
- How to protect your LinkedIn account from hackers with two-step verification (2SV)
- How to protect your PayPal account with two-step verification (2SV)
- How to protect your Yahoo account with two-step verification (2SV)
- How to protect your Apple ID account against hackers
- How to better protect your Google account with two-step verification and Google Authenticator
- How to protect your Hootsuite account from hackers
- How to better protect your Instagram account with two-step verification (2SV)
- Instagram finally supports third-party 2FA apps for greater account security
- How to protect your Nintendo account from hackers with two-step verification (2SV)
- How to better protect your Roblox account from hackers with two-step verification (2SV)
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.
15 comments on “Online backup firm Carbonite tells users to change their passwords now”
Don't you think it is horrible practice for a security sensitive site like Carbonite to have us click on an update in en email from them to change our password? They should have asked us to log onto their site and had a secure method to update the password from there. How can I tel the difference between phishing and this type of update without having to spend a lot of time making sure it is okay? How do I know if the email I got has been hacked somehow and that the links in in are not being keylogged or something like that. Not good in my opinion. I am going to go on Carbonite's site and ask them how to do the update from there.
I tend to agree Bob. It's all too easy for opportunist phishers to take advantage of an incident like this, and create emails that lead to bogus websites. Hopefully Carbonite and its customers will keep their eye open for that.
Although there's some sensible advice in Carbonite's email, I think companies in their position would do better to offer a full link (in other words, https://www.example.com/reset-password rather than using any HTML shenanigans) or advise customers to simply visit their site as normal and click on the "Forgot password" link. Indeed, that's what Carbonite seems to be suggesting to customers who don't wish to click on the link in the email: https://support.carbonite.com/articles/Password-Reset-Email-Instructions
Of course it should tell them to go to the website. After all, many URLs look scarily accurate to what they are pretending to be. Then you consider that the look itself isn't the only problem (or method) when it comes to tricking users. But it's worse, isn't it?
Sadly most organisations will continue to get this wrong and worse is it's so tempting to click on a link; that is another complication: in general links in email are for convenience (no need to go here, click next and then click next one more time when instead you can click on a single link taking you directly to the location). This is true regardless of the nature of the email (or reason for it). And I seem to think that even if you send mail in text (as I do at least on the accounts I have remembered to change the default in Thunderbird) if the client interprets it then it's made into a link. Even if it isn't turned into a hyperlink you can copy and paste the link instead. Of course there is also the problem of making a typo (hence typosquatting)…
All of these reasons (and others not listed) complicates things, conditions people into not following the best practise and therefore more vulnerable to phishing. So yes it'd be good if they say to go to their website but I think this is most of the time asking for too much and in any case there are no real solutions to this problem.
You be the judge. Here is my chat:
(14:21:00) A secure encrypted SSL connection has been established.
(14:21:03) Your support representative will be with you shortly. This session may be recorded for quality assurance.
(14:21:03) By continuing to use this application (which includes but not limited to, granting access to and/or viewing of your computer) you are agreeing to the following: Full Terms & Conditions
(14:21:04) This session has been transferred to Jessica.
(14:21:05) You are now chatting with Jessica.
(14:21:18) Jessica said to you:
Good evening ***** and thank you for contacting Carbonite! One moment please while I bring up your information.
(14:21:46) You said to Jessica:
I am an IT Technician for *************. Who gave you authorization to change our password to the admin account??
(14:22:01) Jessica said to you:
We did a mass password reset this afternoon for all of our customers and each customer should be receiving an email soon asking them to set up a new password. Our security systems detected that a third party was attempting to access customer accounts using emails and passwords obtained elsewhere so we decided to take some preemptive action against it.
(14:22:24) You said to Jessica:
You failed to answer the question
(14:22:56) Jessica said to you:
We did not change any password, we disabled the current ones.
(14:23:10) You said to Jessica:
you do not have that authority
(14:23:47) You said to Jessica:
For your protection and the safety of your data, we have reset the password on your account. To access your account, you must choose a new, secure password.
(14:24:00) You said to Jessica:
This action is being taken proactively and at this time there is no evidence to indicate that your account or data have been compromised. Your backups are safe and your regular backup schedule will continue
(14:24:58) You said to Jessica:
I will ask again, who gave you the authority??
(14:26:02) Jessica said to you:
As a Carbonite customer it is our imperative to make sure that your data is secure at all times by any means necessary, including requesting password resets when a potential breach of data security is detected. This was not done maliciously, it was done to protect your data. I apologize that you are inconvenience by this, but we reset 100% of our user's passwords, not just you.
(14:28:43) You said to Jessica:
If you want to enforce a policy, you do that from a login screen with a prompt notification, that is BASIC computer security. A company that decides for themselves to reset the password for the entire database of users is a company that has failed to properly secure and provide for customer needs and usage.
(14:29:50) Jessica said to you:
If you would like to bring this up to the correct team, I would recommend that you email either [email protected] or [email protected] I am only technical support, I do not decide when passwords get reset or if they do and have no say in what happens then.
(14:29:55) You said to Jessica:
I have never had a company send me an email that THEY changed a password and you need to click this link to reset the password, except when someone is trying a phishing scam on a user!!
(14:31:10) You said to Jessica:
Then once again WHO GAVE YOU THE AUTHORITY. I have tried to call but I guess you opened a shit storm by changing the password of the entire user account database!!
(14:33:56) Jessica said to you:
Our senior management decided that this was the best course of action to ensure account security. Again, I have no say in this and you are more than welcome to send an email to [email protected] or [email protected] with your concerns.
To be honest, I feel sorry for Jessica…
Me too considering the fact she wasn't the one who reset the password. When you sign up for a service, you sign up on their terms. If you don't like their terms, you find someone else.
I think it's a pretty classy move to censor your own information and not that of the person who was trying to help you, despite the fact that she obviously had no power in the decision making process.
Berating her with questions that were asinine obviously displays your intelligence and superior intellect. Congrats.. you really gave her what for!
I oftentimes visit my local police station to ask them why Congress passes laws which I don't agree with. I feel this is an effective method for change.
I have no doubt that you will be receiving a heartfelt apology tomorrow from Carbonite's CEO. Perhaps also a free year of service for your extreme inconvenience having to update your password. If only they had left your account vulnerable to attack, this unfortunate incident may never have occurred.
Why are people who care about security even using Carbonite?
If you want true, zero-knowledge, security then you must manage your password/keys yourself. If you're the only person who knows your password then you're the only one who can change it. It should go without saying that with a zero-knowledge service that, if you forget your password, you can kiss goodbye to your data.
Tresorit or Spideroak are two well-respected zero-knowledge services.
More security is always a good thing, though it doesn't matter how many people know your pw if you use the same pw across multiple accounts. It only takes the weakest account to get hacked.
I have a carbonite account (which does allow for me to manage my own encryption key) and got the same email, went to the site and changed my pw without issue. I already knew using the same pw across accounts was a bad idea, though tbh I was doing it anyway out of laziness.
The experience has led me to take Graham's advice and invest in a pw manager.
Unfortunately Carbonite's security doesn't quite add up compared to true zero-knowledge services.
It's better than nothing but is designed mainly as a tick in the box for American HIPAA requirements.
In your case the password you changed will be for your account and not your data. Choosing a strong, unique password is a good idea but make sure you keep a secure backup of the password manager's database!
Two open source (and free), trusted, vetted password managers are:
Password Safe (https://pwsafe.org/)
The other frustrating thing is that it's been almost 12 hours since I followed their instructions and slicked the "forgot my password" link — which should generate a message to my e-mail address telling me how to establish my new password. And I followed that up (after an hour) with an hours wait in a chat queue to talk to a customer service rep whose only response was to say that it would take several hours for the message to be sent–but he'd send another one now. Well, there's nothing in my mailbox–I suspect that they're overwhelmed after not thinking this through. Fortunately, there's nothing mission-critical in my back-up, I use it to back up my genealogy files so I can get access from other computers when I travel. I do think I'll do a home back-up with my big flash drive, just in case.
You should be making local backups anyway. never put all your eggs in one basket.
Why the 3-2-1 backup rule STILL makes sense
I agree with Bob Frank. Sending a click on me email to secure the compromised Carbonite site is such a classic, that Carbonite should easily know to do better by their customers than to use the bad-guy's most frequent strategy. We tell clients not to click on email like these, all day, most days.