June 21, 2016
**Customers – see below to find out what you should know and visit our Knowledge Base for instructions on how to reset your password.**
As part of our ongoing security monitoring, we recently became aware of unauthorized attempts to access a number of Carbonite accounts. This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked. The attackers then tried to use the stolen information to access Carbonite accounts.
Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised.
What Information Was Involved
While we will continue to monitor and investigate the matter, we have determined that usernames and passwords are involved. Additionally, for some accounts, other personal information may have been exposed.
What We Are Doing
To ensure the protection of all our customers and the safety of their data, we are requiring all Carbonite customers to reset their login information. All Carbonite users will receive an email with instructions to reset their passwords. These emails will arrive in your inbox over the course of the day and evening. Our Customer Care team is standing by to assist anyone who needs additional help. This activity in no way affects existing or scheduled backups. Files are still being safely backed up.
In addition to our existing monitoring practices, we will be rolling out additional security measures to protect your account, including increased security review and two-factor authentication [which we strongly encourage all customers to use].
What Carbonite Customers Should Do
Look for an email from Carbonite with instructions for resetting your password. We highly recommend all customers use “strong” unique passwords for Carbonite and all online accounts. Learn more about strong passwords at www.carbonite.com/safety. If you use the same or similar passwords on other online services, we recommend that you set new passwords on those accounts as well.
Is the email you received legitimate?
Yes. Carbonite sent an email to all customers an email asking them to reset their passwords.
How to tell if the email you received is legitimate:
- Don’t trust the sender nickname. Check the sending email address. We sent from firstname.lastname@example.org. Don’t trust an email from anything else.
- Our Reset Your Password button brings you to a Carbonite page. Check to make sure the URL is account.carbonite.com and that it has a green lock.
- Don’t download and run anything. Our password reset runs in your browser so don’t download and run any executables as they may be malicious.
What can you do if the password reset link isn’t working?
- Use the Forgot Password link. Please be patient, as it may take up to 12 hours to receive a reset email. https://account.carbonite.com/Subscriber/ForgotPassword
- Call Carbonite Customer Support at 877-222-5488 to reset your password over the phone. Wait times may be longer than expected due to high call volume.
For More Information
If you have questions or concerns, please contact Carbonite Customer Care.