Carbonite online backup service bombarded with reused passwords

Online backup service Carbonite is forcing users to pick new passwords in the wake of discovering that it was under a large-scale account takeover attack.

On Tuesday, the company said in a post that as far as it can tell, its own systems haven’t been breached.

Rather than pilfering logins from Carbonite itself, the attackers appear to be trying to get into Carbonite accounts with email addresses and passwords stolen by breaching other companies.

What other companies? Carbonite didn’t hazard a guess, and really, why should it? They could have come from anywhere. Humongous datasets of stolen logins have been popping up like dandelions after a spring rain.

Could be that the Carbonite logins came from people who reused the same email addresses/passwords on LinkedIn. Or on Tumblr. Or MySpace, VK, or GoToMyPC.

The list of stolen credentials available online grows every day. Add up just that list of breaches above, and over the past 2 months we’ve seen over 1 billion logins spilled, many of them up for sale on the dark web.

Carbonite says that the hackers are using usernames and passwords. It looks like for some of the accounts, other personal information also seems to have been exposed.

The company’s requiring all users to reset their login information. It sent out an email with instructions on how to do that.

Carbonite also said that this won’t affect existing or scheduled backups: the files “are still being safely backed up.”

Carbonite doesn’t currently offer two-factor authentication (2FA), but it says that plans are in the works to roll it out.

The company says that this is how you can tell the password reset email is legitimate:

• Don’t trust the sender nickname. Check the sending email address. Carbonite sent from carbonite@cloud.carbonite.com. Don’t trust an email from anything else.
• The Reset Your Password button brings you to a Carbonite page. Check to make sure the URL is account.carbonite.com and that it has a green lock.
• Don’t download and run anything. The password reset runs in your browser, so don’t download and run any executables, as they may be malicious.

If the password reset link isn’t working, Carbonite said you can use the Forgot Password link. Be patient, the company suggests: it could take up to 12 hours to get a reset email.

Finally, here are three quick tips for protecting yourself in these days of password reuse attacks:

1. Don’t re-use passwords. Never! As this breach makes clear yet again, crooks will try a stolen password from one account against all your others, and the attacks nowadays are increasingly automated. Don’t make things easy for them – or for their bots.
2. Turn on 2FA. It makes yesterday’s password breaches much less useful to today’s crooks, because of the ever-changing login codes. Many sites already offer this feature, and Carbonite’s on track to join them, so turn it on wherever and whenever it’s available.
3. Watch our How to Pick a Proper Password video. It’s easier than you might think to come up with passwords that crooks are unlikely to be able to guess:

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)