Breach, Threat Management, Data Security, Incident Response, TDR

‘Password attacks’ continue; Citrix becomes latest victim

Hackers used login information to launch a “sophisticated password attack” to login to Citrix's GoToMyPC user accounts, according to a company blog post. The remote access software reset passwords of its users, in the latest example of a web company reacting to unauthorized attackers accessing its user accounts.

The attack method appears to be a similar approach to the recent large-scale effort used to access GitHub accounts last week. Attackers used credentials attained through stolen password repositories to gain access to user accounts of the web-based code hosting platform. The GitHub attackers used “lists of email addresses and passwords from other online services that have been compromised in the past,” the company said.

There has been a rise in attempted logins across many web platforms and sites after the discovery of 117 million LinkedIn, 360 million MySpace, and 65 million Tumblr email credentials for sale on the Dark Web last month. The credentials were obtained from breaches that occurred in 2012 and 2013. Earlier this month, a hacker dubbed “Peace” claimed responsibility for the LinkedIn, Tumblr, and MySpace data dumps and released an additional database containing 171 million user accounts associated with the Russian social networking site

While some password databases originate from previous breaches, other password databases are gained from compromised personal and organizational endpoints, according to Israel Barak, CISO and head of incident response Cybereason. “Botnets are adapting their operations to use their control over millions of endpoints – personal and corporate ones, sometimes controlling them with just a commodity malware that is considered “low risk”, to create better monetization models, and specifically as it relates to credential theft, they extract user credentials stored on these endpoints (i.e. “saved passwords”) and aggregate them into password databases that can be sold and monetized on in the marketplace,” Barak wrote in an email to

The use of bots in launching these attacks has plagued the private and public sectors. A recent report by Distil Networks found that only 12 percent of websites could detect simple bots, while less than one percent of sites were able to detect most advanced bots. Consumer, government and financial services were least capable of detecting bots.

The posted login credentials have led to concerns that web services now face an increase in risk of unauthorized logins, as many web users continue to reuse login information across multiple platforms. In a move similar to Citrix, Reddit reacted to the discovery of the published login credentials by a forced password reset last month. “Though Reddit itself has not been exploited, even the best security in the world won't work when users are reusing passwords between sites,” the company stated.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.