Image by Brilt from Thinkstock.com
Image by Brilt from Thinkstock.com

Good IT security doesn’t only mean using technology the right way. It also means employees have to follow safe practices, especially not re-using passwords on multiple sites.

If staff need reminding CISOs can pass around this report: Citrix sells a cloud service called GoToMyPC that allows employees remote access to their office computers. It’s convenient for people on the road, but it does carry risks: If staffers use unsafe passwords or re-use passwords on other sites their computers can be hacked.

The vendor has admitted that has happened this month.  “Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” the company said in an email to ITWorldCanada.com.

For employees that don’t get it, here’s the explanation: Over the years through a number of data breaches attackers are able to get their hands on lists of stolen passwords (Ashley Madison, for example, or last week’s hack at Toronto-based VerticalScope). They then run those against common sites (Gmail, Yahoo Mail, LinkedIn, Twitter) fully expecting at least some people will have re-used passwords on multiple sites.

In this case an attacker looking for a corporate victim chose to test the GoToMyPC portal.  As a result of the discovery — and Citrix isn’t saying how many accounts were breached or for how long it went on before being reported — the vendor forced all subscribers to change their passwords. It’s also urging subscribers to enable two-step verification to make it harder for attackers to get into accounts without users knowing about it.

UPDATE: After this story was published Carbonite, an online backup storage service for business and consumers, told all subscribers to change their passwords after its security team became aware of unauthorized attempts to access a number of accounts. “This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked,” the notice said. “The attackers then tried to use the stolen information to access Carbonite accounts. Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised.”

Getting employees to follow safe password procedures is a never-ending problem. Verizon Communications believes that 63 per cent of confirmed data breaches involved leveraging weak, default or stolen passwords. It’s one reason why two-factor authentication is a must until biometrics takes over as the most common authentication process.

What CISOs have to make sure employees understand is that they have the ability to limit the exploitation of password weaknesses.