Online Backup Firm Carbonite Tells Users To Change Their Passwords Now

Security reporter Graham Cluley writes:Online backup company Carbonite is the latest firm to have issued a warning that hackers are attempting to break into its users accounts, and are prompting all users to change their passwords as a result. An email has been sent to Carbonite users explaining that the attackers are thought to be using passwords gleaned from other recent mega-breaches. "Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised," the email reads. "To ensure the protection of all our customers and the safety of their data, we are requiring all Carbonite customers to reset their login information."Instructions to assist you with changing your password is here.

from the website

[turkeydance]

"Carbonite Personal online backup protects your most important digital assets, automatically and continuously." see? don't have to worry about hacked passwords.

Re:from the website

[xxxJonBoyxxx]

>> see? don't have to worry about hacked passwords

Rush Limbaugh told me to buy it because it was safe, so I did.
http://www.breitbart.com/big-journalism/2012/08/03/carbonite-ceo-concedes-dropping-rush-limbaugh-put-bigger-hole-in-our-revenue-than-previously-expected/

Re:from the website

[AmiMoJo]

Try Spideroak. All files are encrypted on your end before they are uploaded, including metadata. Files are stored in encrypted archives so if someone hacks the server they can't even determine file sizes or names etc. Your password is not even stored by Spideroak, authentication is done by the client being able to decrypt the backup metadata it previously uploaded.

More sites should support unauthenticated access

If there's one thing we should learn from these breaches it's that having to create an account to use a site is generally a dumb thing to do.

Yes, it's unavoidable in some cases, but in other cases there's no reason not to allow Anonymous Coward-style interaction, like Slashdot does.

As we can see from sites like Slashdot, Reddit, Hacker News, and Stack Overflow, supporting or forcing the use of accounts actually reduces the quality of the discussion. Everybody becomes concerned about protecting their "karma" or "points" or whatever they fuck the site calls them, and instead of getting real discussion we often get a pacified, pathetic discourse instead.

Accounts are typically one of the worst things that a web site can support.

Re:Surpised Spielberg isn't all up inside Cabonite

[Stormy+Dragon]

Carbonite is a thing that existed before Star Wars:

https://en.wikipedia.org/wiki/...

GoToMyPC had a similar issue this weekend

[no1nose]

They told everyone to reset their passwords and strongly encouraged 2-factor authentication.

Re:More sites should support unauthenticated acces

Hi, same AC here. I thought a little bit about what I said and I have changed my mind, websites with accounts are great! Also, I like to eat my boogers.

Re:online backup?

[vux984]

Sorry. You are simply wrong.

A service like carbonite or crashplan etc absolutely is a backup, and it is online.

The Tao of Backup fails to consider and manage risk.

The novice said: "I will save my working files, but not my system and application files, as they can be always be reinstalled from their distribution disks."

The master made no reply.

The next day, the novice's disk crashed. Three days later, the novice was still reinstalling software.

I'd say the novice made the right decision. For the average user. The cost of losing 2 days productivity is far cheaper than what the master proposes having in place just to avoid losing 2 days productivity.

Its not really a win if you spend $10,000 to gracefully avoid a $1000 loss.

Re:Password apocalypse

[Archangel+Michael]

You're 100% right, and yet not.

Reset passwords only affects people who don't ever change their passwords. If a site asked me to change my password, I would. Then I would change it again every three months, just because they have semi-admitted they can't keep my passwords (and their service) safe.