Online Backup Firm Carbonite Tells Users To Change Their Passwords Now

Security reporter Graham Cluley writes:Online backup company Carbonite is the latest firm to have issued a warning that hackers are attempting to break into its users accounts, and are prompting all users to change their passwords as a result. An email has been sent to Carbonite users explaining that the attackers are thought to be using passwords gleaned from other recent mega-breaches. "Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised," the email reads. "To ensure the protection of all our customers and the safety of their data, we are requiring all Carbonite customers to reset their login information."Instructions to assist you with changing your password is here.

from the website

[turkeydance]

"Carbonite Personal online backup protects your most important digital assets, automatically and continuously." see? don't have to worry about hacked passwords.

Re:from the website

[xxxJonBoyxxx]

>> see? don't have to worry about hacked passwords

Rush Limbaugh told me to buy it because it was safe, so I did.
http://www.breitbart.com/big-journalism/2012/08/03/carbonite-ceo-concedes-dropping-rush-limbaugh-put-bigger-hole-in-our-revenue-than-previously-expected/

Re:from the website

[AmiMoJo]

Try Spideroak. All files are encrypted on your end before they are uploaded, including metadata. Files are stored in encrypted archives so if someone hacks the server they can't even determine file sizes or names etc. Your password is not even stored by Spideroak, authentication is done by the client being able to decrypt the backup metadata it previously uploaded.

More sites should support unauthenticated access

If there's one thing we should learn from these breaches it's that having to create an account to use a site is generally a dumb thing to do.

Yes, it's unavoidable in some cases, but in other cases there's no reason not to allow Anonymous Coward-style interaction, like Slashdot does.

As we can see from sites like Slashdot, Reddit, Hacker News, and Stack Overflow, supporting or forcing the use of accounts actually reduces the quality of the discussion. Everybody becomes concerned about protecting their "karma" or "points" or whatever they fuck the site calls them, and instead of getting real discussion we often get a pacified, pathetic discourse instead.

Accounts are typically one of the worst things that a web site can support.

Re:More sites should support unauthenticated acces

Totally agree.

Re:Surpised Spielberg isn't all up inside Cabonite

[Stormy+Dragon]

Carbonite is a thing that existed before Star Wars:

https://en.wikipedia.org/wiki/...

Password apocalypse

With that many password resets going on, how many more accounts will be hacked and be used as stepping stones into even more systems with access to password databases? And then, more password resets? Is there a critical mass?

Re:Password apocalypse

[Archangel+Michael]

With that many passwords getting hacked, why are you re-using the same password for everything?
With Passwords being hacked all the time, why aren't you changing your passwords on a regular basis (every quarter, semi-annually)?
With Passwords being exposed by all kinds of data breaches, and the power of Botnets, why are you NOT using two-factor authentication more?

Or is it because all of those things a matter of convenience (or inconvenient)? Might as well set it to the same thing as my luggage.

Re:Password apocalypse

As far as I understand it, that backup service provider is asking ALL users to change their passwords, not just the ones with dumb passwords or with passwords that they also use somewhere else. So having a high-entropy password, changing it frequently, and using two-factor authentication doesn't really prevent you from having your password reset on you. And that means there's a window of opportunity for an attacker to get into your account. What do you think is going to happen when their support is faced with all those angry customers who suddenly can't log into their own accounts? Corners will be cut.

Re:Password apocalypse

[Archangel+Michael]

You're 100% right, and yet not.

Reset passwords only affects people who don't ever change their passwords. If a site asked me to change my password, I would. Then I would change it again every three months, just because they have semi-admitted they can't keep my passwords (and their service) safe.

Re: That's because Carbonite isn't APPY enough!

Maybe they need Apponite?

GoToMyPC had a similar issue this weekend

[no1nose]

They told everyone to reset their passwords and strongly encouraged 2-factor authentication.

Re: GoToMyPC had a similar issue this weekend

I use 69 factor authentication which includes an anal swab. Oh baby

Wait until IoT devices start stealing passwords.

Just wait until IoT devices are caught collecting credentials. Your IoT-enabled light bulb? Yeah, it turns out it's using its camera to watch you type, and it's recording the sound of your keystokes, and it's using its embedded CPU to analyze and statistically determine your passwords, and it's uploading this info into "the cloud" for gosh knows who to access and use.

Nobody will be safe. It's bad enough that IoT technology will likely be used to watch you in the bathroom. But maybe collecting credentials will finally be what turns people against IoT devices.

online backup?

[dshk]

There is no such thing as online backup. By definition backup must not be online. Physical presence and offline media is required. http://www.taobackup.com/

Re:online backup?

[vux984]

Sorry. You are simply wrong.

A service like carbonite or crashplan etc absolutely is a backup, and it is online.

The Tao of Backup fails to consider and manage risk.

The novice said: "I will save my working files, but not my system and application files, as they can be always be reinstalled from their distribution disks."

The master made no reply.

The next day, the novice's disk crashed. Three days later, the novice was still reinstalling software.

I'd say the novice made the right decision. For the average user. The cost of losing 2 days productivity is far cheaper than what the master proposes having in place just to avoid losing 2 days productivity.

Its not really a win if you spend $10,000 to gracefully avoid a $1000 loss.

Re: online backup?

All cloud services suck donkey balls. Period. The whole idea was stupid from the start. The more people realize it the better.

Re:online backup?

What utter horseshit.The amusing part is Taobackup is actually pretty bad when it comes to backup advise. Backup can be online or offline as long as your own online can't corrupt the online backup. Secondly backup is a Risk vs Cost decision not purely a what guarentees fast complete recovery as vux984 commented losing 2 days can absolutely be a positive result. We actually have a similiar policy for a production system with regards to backup, We accept that a catastrophic outage may cost us up to 2 days downtime and a lot fo data reentry, however those 2 days is far cheaper than the definite $1.5 million annual cost to reduce that outage time down to 1 hour.

Carbonite being slow?

[Kaenneth]

I assume so many people doing resets at once, plus the attack itself is why Carbonite is being slow to respond today?

Re:More sites should support unauthenticated acces

Hi, same AC here. I thought a little bit about what I said and I have changed my mind, websites with accounts are great! Also, I like to eat my boogers.

Re:More sites should support unauthenticated acces

[vux984]

mod up ^

Re:More sites should support unauthenticated acces

The hell are you on about? Anonymous discussion is one thing, but accessing my backed-up personal files on Carbonite had damned well better require logging in to my account.

Re:Surpised Spielberg isn't all up inside Cabonite

[K.+S.+Kyosuke]

That is possible, but given that this is apparently a backup service, I don't think the explosive meaning is what they were going for.

Re:Surpised Spielberg isn't all up inside Cabonite

[Stormy+Dragon]

Of course not, but it still prevents it from being trademarked.

Don't store passwords

[Tijaska]

Websites should not store users' passwords. It's completely unnecessary. Instead, the registration and login web pages offered by the website should compute a hash of the user's chosen password using JavaScript embedded in the page. This hash should be sent to the web server, which must then store it. If the web server is subsequently hacked, the hackers get hashes of passwords rather than the original passwords. There's no way to recover the original password from its hash. So even if each website user chooses to use the same user id and password across many different sites, hacking one won't allow hackers to log into any of the others using the hacked credentials. An SHA-3 hashing algorithm in JavaScript can be as small as 1624 bytes of code - see blake32.min.js at https://github.com/drostie/sha...

Re:Don't store passwords

This has always been true and is standard best practice. However, if you implement the hash function in javascript on the client side and someone steals the password hashes....the attacker doesn't need the passwords to login....they can just submit the hashes they stole by rewriting the javascript.....

Not understanding the problem AND the solution is why things like this happen. Too few people understand cybersecurity mechanisms.

Re:Don't store passwords

Do the hashing server side. Login code should only work with a password. If a hash is submitted the hash of the hash would not match and login fails.

Re:Don't store passwords

No, what you really want is https://en.wikipedia.org/wiki/Secure_Remote_Password_protocol

Re:More sites should support unauthenticated acces

Too bad there's no way to identify a client across multiple postings. Like maintaining a simple HTTP session (and having the "name" be a hash of that session) or creating a name which is a hash of the IP or somesuch.

Few things amaze me as much as Slashdot's aversion to tracking paired with the attitude against AC.

Re:Surpised Spielberg isn't all up inside Cabonite

[Whibla]

Perhaps you'd like to tell that to Apple?

Or, for that matter, one of the thousands of other companies that have trademarked specific representations of common, pre-existing, words.

If it wasn't already apparent, a word used as a trademark does not have to be a unique or original word, its representation does, so no, the existence of a carbonite explosive or a fictional means of 'freezing' an object inside a carbon block does not prevent a company creating a trademark using the word carbonite.

What about ISP monthly gigabyte quotas?

[knorthern+knight]

At least the first backup would easily blow through my monthly quota. Assuming that the backup algorithm used versioning (e.g. rsync), subsequent backups would be smaller.

Don't put anything important in the cloud

[knorthern+knight]

This is not the first such incident. See https://apple.slashdot.org/sto... about how easy it is to socially engineer your way into someone else's account. That's why I do not want anything vital "in the cloud"...

* because people can get at your data on the cloud
* GM can shut down your car from the cloud via Onstar
* California now demands that phones "reported stolen" be shut down from the cloud

etc, etc.