Citrix says customers of remote PC access service stung by password re-use

Good IT security doesn’t only mean using technology the right way. It also means employees have to follow safe practices, especially not re-using passwords on multiple sites.

If staff need reminding CISOs can pass around this report: Citrix sells a cloud service called GoToMyPC that allows employees remote access to their office computers. It’s convenient for people on the road, but it does carry risks: If staffers use unsafe passwords or re-use passwords on other sites their computers can be hacked.

The vendor has admitted that has happened this month.  “Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” the company said in an email to

For employees that don’t get it, here’s the explanation: Over the years through a number of data breaches attackers are able to get their hands on lists of stolen passwords (Ashley Madison, for example, or last week’s hack at Toronto-based VerticalScope). They then run those against common sites (Gmail, Yahoo Mail, LinkedIn, Twitter) fully expecting at least some people will have re-used passwords on multiple sites.

In this case an attacker looking for a corporate victim chose to test the GoToMyPC portal.  As a result of the discovery — and Citrix isn’t saying how many accounts were breached or for how long it went on before being reported — the vendor forced all subscribers to change their passwords. It’s also urging subscribers to enable two-step verification to make it harder for attackers to get into accounts without users knowing about it.

UPDATE: After this story was published Carbonite, an online backup storage service for business and consumers, told all subscribers to change their passwords after its security team became aware of unauthorized attempts to access a number of accounts. “This activity appears to be the result of a third party attacker using compromised email addresses and passwords obtained from other companies that were previously attacked,” the notice said. “The attackers then tried to use the stolen information to access Carbonite accounts. Based on our security reviews, there is no evidence to suggest that Carbonite has been hacked or compromised.”

Getting employees to follow safe password procedures is a never-ending problem. Verizon Communications believes that 63 per cent of confirmed data breaches involved leveraging weak, default or stolen passwords. It’s one reason why two-factor authentication is a must until biometrics takes over as the most common authentication process.

What CISOs have to make sure employees understand is that they have the ability to limit the exploitation of password weaknesses.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now