Cyber Incident Victim: Carbonite

In June 2016, Carbonite, an online backup service, detected a large-scale account takeover attack targeting its user accounts. The company determined that attackers were attempting unauthorized access by using email addresses and passwords previously stolen from breaches of other organizations, though Carbonite confirmed no evidence of a direct breach compromising its own systems. The attackers leveraged credential-stuffing techniques, systematically testing login combinations sourced from third-party breaches—potentially including major incidents such as LinkedIn, Tumblr, MySpace, VK, or GoToMyPC—though Carbonite did not specify the exact origin of the reused credentials. This attack occurred amid a surge in credential leaks across multiple platforms, with over 1 billion logins reportedly exposed in the preceding two months alone, many circulating on dark web markets. Carbonite observed that attackers utilized both usernames and passwords, with some accounts also exposing additional personal information during the incident.

Carbonite responded by enforcing a mandatory password reset for all users, sending instructions via email from the verified address [email protected] and directing users to authenticate the reset page via the legitimate account.carbonite.com URL with HTTPS encryption. The company assured users that existing and scheduled backups remained unaffected and securely stored. While Carbonite acknowledged lacking two-factor authentication (2FA) at the time, it announced plans to implement the feature to bolster future account security. Users experiencing delays with password reset links were advised to utilize the "Forgot Password" option, with potential wait times of up to 12 hours for email delivery. The incident underscored the risks of password reuse across multiple services, as automated attacks exploited credentials from unrelated breaches to target Carbonite accounts.