14 DAY TRIAL // Mac & Windows online backup service Carbonite decided to reset all user passwords yesterday after the company's IT staff detected an ongoing, large-scale ATO (account takeover) attack.
The company said the attacking third-party didn't compromise any user accounts, mainly because its staff caught the attack in its early stages. To make sure nothing was stolen from people's backups, Carbonite has initiated a service-wide password reset.
As was the case of GoToMyPC, a remote desktop utility, the attackers managed to get their hands on username and password combos, probably acquired from the recent mega breaches, and tried to brute-force their way into Carbonite accounts, hoping that some users reused their credentials across different services.
Brute-force attacks and account hijacking to become more popular
Such types of attacks are known as ATO or Identity Testing Attacks, and according to security firm ThreatMatrix, they are becoming extremely popular.
Akamai observed the same thing this past February, when crooks used over one million different IPs to brute-force their way into various companies. This shows how popular such attacks have become, even before the Tumblr, LinkedIn, MySpace, VK, or Twitter mega breaches, which have exposed over one billion username-password combos only in the last two months.
As for Carbonite, the company is now asking users to select new passwords. Carbonite doesn't provide two-factor authentication right now, but the company said it would be rolling out 2FA in the coming future.
Services like Carbonite, GoToMyPC or TeamViewer, even if not as popular, often provide a trove of sensitive information, allowing hackers direct access to user devices, or to financial data or passwords stored as computer backup files.
Most Carbonite users should receive an email from the company in the coming days, but they'll be prompted to reset their password as soon as they try to use the service anyway.