The backup service Carbonite and Citrix’s remote access tool GoToMyPC both recently reset all customer passwords in response to attacks that leveraged passwords reused on other sites to breach user accounts.
In Carbonite’s case, the company said in a statement that a pattern of unauthorized attempts to access Carbonite accounts “appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked.”
“Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised,” the company added.
“In addition to our existing monitoring practices, we will be rolling out additional security measures to protect your account, including increased security review and two-factor authentication (which we strongly encourage all customers to use),” Carbonite stated.
Similarly, Citrix said in a statement that GoToMyPC was the victim of “a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users.”
“Citrix encourages customers to visit the GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible,” the company added.
Imperva security research team leader Nadav Avital told eSecurity Planet by email that attacks like these are on the rise because they’re so simple — they require minimal resources from the attacker, and there are lots of leaked credentials to work with. “In addition to threatening site users, these attacks also present risk to the attacked site, due to intense load on the authentication server, or massive legitimate account lockout, due to the common lock-after-X-failures safety mechanisms,” he said.
“Sadly, most sites lack the proper security measures to stop these attacks,” Avital added. “Proper mitigation must provide account takeover solutions, such as detection of stolen passwords usage, detection of automated tools (bots) and detection of account access from a malicious device.”
A recent LastPass survey of over 1,000 U.S. consumers found that 59 percent of respondents admitted reusing passwords between websites. A separate Ping Identity survey of more than 1,000 U.S. enterprise employees found that almost half of respondents reuse passwords for work-related accounts, and almost two thirds do so for personal accounts.
More recently, a survey of 1,022 respondents in the U.S., conducted by Arlington Research on behalf of OneLogin, found that 20 percent of employees share their work email passwords and 12 percent share passwords to other work applications. Almost half of all employees are unaware of any company policies regarding sharing of passwords.
The survey also found that 13 percent let their colleagues use a device that can access their employer’s network, and nine percent allow their partners to access such a device. One in five employees have no security software on their work mobile devices.
“Given that it takes only one compromised account to lead to a breach, these lax security practices are troubling, especially when you consider that they could take place at your bank, at your children’s school, or in your local government,” OneLogin CISO Alvaro Hoyos said in a statement. “A breach at one location can lead to others, especially with bad password habits like password reuse.”
“Technical controls should be put in place to ensure only authorized workers are accessing data securely and these should be reinforced with security awareness efforts as well,” Hoyos added. “For example, using single sign-on and identity management solutions to enforce role based access and step up authentication establishes a strong security foundation, and coupling that with periodic security awareness training or simple reminders strengthens that foundation.”
A recent eSecurity Planet article examined the future of identity management solutions.