Skip to content
by
  • Products
  • Free Tools
  • Search
  • Free Sophos Home
XG Firewall
Next-Gen Firewall
Intercept X
Next-Gen Endpoint
  • Sophos Cloud Optix
  • Sophos Central
  • Sophos Mobile
  • Intercept X for Server
  • Secure Wi-Fi
  • Phish Threat
  • SafeGuard Encryption
  • Secure Email
  • SG UTM
  • Secure Web Gateway
For Home Users

Sophos Home protects every Mac and PC in your home

Learn More
Free Security Tools
Free Trials
Product Demos
Have you listened to our podcast? Listen now

Carbonite online backup service bombarded with reused passwords

23 Jun 2016 1 Data loss, Security threats

Post navigation

Previous: Apple “opens up” the iOS 10 kernel – accident or design?
Next: Commercial drone industry gets new relaxed rules
by Lisa Vaas

Online backup service Carbonite is forcing users to pick new passwords in the wake of discovering that it was under a large-scale account takeover attack.

On Tuesday, the company said in a post that as far as it can tell, its own systems haven’t been breached.

Rather than pilfering logins from Carbonite itself, the attackers appear to be trying to get into Carbonite accounts with email addresses and passwords stolen by breaching other companies.

What other companies? Carbonite didn’t hazard a guess, and really, why should it? They could have come from anywhere. Humongous datasets of stolen logins have been popping up like dandelions after a spring rain.

Could be that the Carbonite logins came from people who reused the same email addresses/passwords on LinkedIn. Or on Tumblr. Or MySpace, VK, or GoToMyPC.

The list of stolen credentials available online grows every day. Add up just that list of breaches above, and over the past 2 months we’ve seen over 1 billion logins spilled, many of them up for sale on the dark web.

24/7 threat hunting, detection, and response delivered by an expert team as a fully-managed service.
Learn More

Carbonite says that the hackers are using usernames and passwords. It looks like for some of the accounts, other personal information also seems to have been exposed.

The company’s requiring all users to reset their login information. It sent out an email with instructions on how to do that.

Carbonite also said that this won’t affect existing or scheduled backups: the files “are still being safely backed up.”

Carbonite doesn’t currently offer two-factor authentication (2FA), but it says that plans are in the works to roll it out.

The company says that this is how you can tell the password reset email is legitimate:

  • Don’t trust the sender nickname. Check the sending email address. Carbonite sent from carbonite@cloud.carbonite.com. Don’t trust an email from anything else.
  • The Reset Your Password button brings you to a Carbonite page. Check to make sure the URL is account.carbonite.com and that it has a green lock.
  • Don’t download and run anything. The password reset runs in your browser, so don’t download and run any executables, as they may be malicious.

If the password reset link isn’t working, Carbonite said you can use the Forgot Password link. Be patient, the company suggests: it could take up to 12 hours to get a reset email.

Finally, here are three quick tips for protecting yourself in these days of password reuse attacks:

  1. Don’t re-use passwords. Never! As this breach makes clear yet again, crooks will try a stolen password from one account against all your others, and the attacks nowadays are increasingly automated. Don’t make things easy for them – or for their bots.
  2. Turn on 2FA. It makes yesterday’s password breaches much less useful to today’s crooks, because of the ever-changing login codes. Many sites already offer this feature, and Carbonite’s on track to join them, so turn it on wherever and whenever it’s available.
  3. Watch our How to Pick a Proper Password video. It’s easier than you might think to come up with passwords that crooks are unlikely to be able to guess:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)

  • Follow @NakedSecurity on Twitter for the latest computer security news.

  • Follow @NakedSecurity on Instagram for exclusive pics, gifs, vids and LOLs!

Free tools

Sophos Firewall Home Edition

Boost your home network security.

Sophos Scan & Clean

Free second-opinion scanner for PCs.

Sophos Cloud Optix

Monitor 25 cloud assets for free.

Post navigation

Previous: Apple “opens up” the iOS 10 kernel – accident or design?
Next: Commercial drone industry gets new relaxed rules

One comment on “Carbonite online backup service bombarded with reused passwords”

  1. John Griffith says:
    June 23, 2016 at 10:25 pm

    Yes, Please, keep all my data on your servers – What could possibly go wrong

    Reply

What do you think? Cancel reply

Recommended reads

Dec15
by Paul Ducklin
0

S3 Ep113: Pwning the Windows kernel – the crooks who hoodwinked Microsoft [Audio + Text]

Nov16
by Paul Ducklin
5

Firefox fixes fullscreen fakery flaw – get the update now!

Nov21
by Paul Ducklin
11

How social media scammers buy time to steal your 2FA codes

  • About Naked Security
  • About Sophos
  • Send us a tip
  • Cookies
  • Privacy
  • Legal
  • Intercept X
  • Intercept X for Server
  • Intercept X for Mobile
  • XG Firewall
  • Sophos Email
  • Sophos Wireless
  • Managed Threat Response
  • Cloud Optix
  • Phish Threat
© 1997 - 2023 Sophos Ltd. All rights reserved. Powered by WordPress VIP