Customers were told to reset their passwords using the “forgot password” link, with more specific instructions on how to do this being delivered some seven hours later.
Advertisement
The global password reset comes soon after a separate attack on another remote access system that also re-used passwords stolen elsewhere.
Saying that its GoToMyPC service was the subject of a “very sophisticated password attack,” Citrix on Saturday evening advised all users of the service that it has reset their passwords. “We apologize for any inconvenience this may have caused you”. It’s convenient for people on the road, but it does carry risks: If staffers use unsafe passwords or re-use passwords on other sites their computers can be hacked.
Currently, Citrix is recommending that all GoToMYPC users add two-factor authentication to their accounts, which will at least help prevent attackers from gaining access unless they also have access to the exact way that Citrix verifies users are who they say they are. Over the last several weeks several firms including Twitter, Github, Tumbler, iMesh and LinkedIn also forced their customers to reset their passwords. “To protect you, the security team recommended that we reset all customer passwords immediately”.
Citrix is yet to detail how many users are affected by the breach. Each one of these stolen accounts might not be worth much alone, he said.
Experts at ThreatMetrix estimate that password reuse is a bad habit that 60 percent of internet users are guilty of.
Advertisement
The company has not yet announced the precise nature of the attack on its network, nor whether user passwords were directly breached from its servers. “Given a list of passwords (either from a dictionary) or, better yet, from an existing leak – hackers can easily write scripts that attempt to compromise accounts by guessing multiple passwords”, Wardle said.
