Protecting Your Account

By | April 28th, 2017


Editor’s Note: This is a copy of an email sent to our customers on 4/28/17. The Backblaze login database has in no way been compromised. That said, we have seen a number of automated login attempts to our site and wanted to alert our users of the risk. See below for more info.
=====
Dear Customer –

Over the last 72 hours, our security team has noticed an increase in automated attempts to log into our users’ accounts using credentials stolen from other websites. To protect your account, we recommend that you:

Change your password
● Add Two-Factor Authentication for additional security

NOTE: The Backblaze login database has not been compromised – the credentials were stolen from other sources.

Regrettably, we live in an era where companies have been breached and their customers’ credentials have been leaked – Dropbox , Adobe , and LinkedIn are just a few, high profile examples. What happens in these attacks is that the attacker acquires “the Dropbox list” and simply tries those usernames and passwords on another site. If your credentials were leaked in one of those hacks and you used the same username/password combination to sign up for other services (such as ours), you are vulnerable.

While we have a number of methods in place to thwart nefarious attacks, there is a limit to what we can do to prevent someone from signing in to an account with a valid username and password. We are sending this message to you today because we know that some of our users credentials are in these stolen lists.

Changing your password now ensures you’re not using a password that was previously leaked. Adding Two-Factor Authentication provides an extra layer of security and protection if end up on one of these lists in the future.

Thank you,

Tim
Chief Cloud Officer
Backblaze

Tim Nufire

Tim Nufire

Chief Cloud Officer at Backblaze
Chief Cloud Officer and co-founder - While Tim stays busy fussing with the Backblaze cloud, designing Storage Pods and managing Operations, he'd much rather be taking Grommit, his Goldendoodle, for a walk.
Category:  Backblaze Bits
  • David Geffen

    Wondering if this has anything to do with why i can no longer access my account? Login that worked a few weeks ago no longer works and because I cannot log in, I cannot get ANY SUPPORT. I have made multiple backup info request over the last few weeks with no response. Called Headquarters as well since you have no phone support. What’s going on?

  • Paul Patras

    You link to and article dated Aug 2016, which documents a security breach Dropbox experienced last year (the other references are even older!). Those were hashed and salted passwords. I fear there may be something more worrying that is not being told here. Can you please be more transparent?

    • Hey Paul, the links in the above were examples of well-known breaches. The “Dropbox List” was also in quotes as an example. Some of the breaches included plain-text passwords, like the VK breach. If you’re curious, a good resource is https://haveibeenpwned.com/, it explains many of the public breaches and what may have been leaked.

      • Paul Patras

        Thanks for the prompt reply and pointer. The VK breach is still old news, as are many others listed there, which prompts the question “why is all relevant just now?”.

        • It’s not necessarily relevant. Our point was just that these credentials are out there and they malicious people can obtain them and try those credentials on different websites. That’s all we were trying to explain – that since Backblaze has email/password credentials, if someone gets a hold of your credentials from any of those lists and you have used the same credentials elsewhere, they can try those credentials on those sites. Which is why we recommend creating new passwords for all of your online accounts and enabling 2FV where available.

  • Tom

    I just wanted to say THANK YOU. I missed the email but Google Now had the blog post right on my front page. This also lets me know other sites also have similar attacks increasing recently.

    PSA: don’t reuse passwords. You can use something like Dashlane or similar to generate and save for you.

  • Barry Moon

    Just checked the main site to see if was a phishing scam. Happy to see is not.

    • Nope! We know the email looked a bit wonky unfortunately in our haste to get it out the door we forgot to turn off the default link tracking in one of our email services. Definitely a face-palm considering the content of the email!

  • Fred Laxton

    OK, I’m all in favor of 2FA, but texting to a phone? Seriously? That is not secure.

    Please offer true, secure 2FA using Google Authenticator or apps like I use, Authy, which has all my 2FA accounts. Authy uses Google Authenticator, just with multiple accounts and works everywhere – Mac, Windows, Chrome app, iOS, Android, and syncs your accounts across devices. That is the way to go, not insecure texting/SMS!

    Read this as just one example of many:
    https://www.wired.com/2016/06/hey-stop-using-texts-two-factor-authentication/

    You are encouraging your users to use a failed method of “security” instead of a real one.

    Not good!

    • Fred – we’ve been looking into that for some time and we’re going to get TOTP 2FA implemented by August!

      • Fred Laxton

        OK I’m glad to hear that. I’ll be looking for it. I have been recommending BackBlaze to my clients, and will continue to do so!

  • Pingback: Logins nicht mehrfach verwenden. Heute: Backblaze. – mkln.org()

  • Thomas Jaatinen

    Echoing previous comments: I’m happy that there was a notification by email, and that there was a corresponding blog post. An email only would have been highly suspect, as there’s so much phishing going around.

    I was also a bit unclear on how you are sure that credentials stolen from other sites were used (as you mention below, you’re still investigating, but transparency is king). Mentioning that this was a case of password re-use (and/or explaining the concept again) would have clarified things, I think.

    Also, although there are many schools of thought on this one, waiting is seldom a good thing in my mind. Even if it turns out to be a false alarm, and results in a bunch of people logging in to change their password, that would hardly be a bad thing. Granted, it will increase the amount of support tickets and put a strain on your customer support, but early warning I think is better than late warning.

    • Fair points, Thomas. I can say that there was a high correlation between the credentials used against our site and those stolen from other sites, and a low correlation with accounts actually in our system. As soon as we had a conclusive understanding of the incident we disclosed the information to our customers – that was the easy part :-) As one of the Backblaze founders, I’m particularly proud about the culture of transparency we’ve built… and, as you noted, very appreciative of the work our Support Team does at times like this.

  • NotExpert

    Hi to all, from the website, in my private area, there is not the possibility to know the last accesses to the account. If not, there is the possibility to add this list? (for example last 5 access/Ips ecc…) I think that are already stored data…
    Thanks

    • Seconded

    • Good morning! That’s something we believe could help our users. There’s a balance on things like this of also respecting user privacy, but there are plenty of good examples of how to execute IF the user is given the ability to opt in. We’re looking at it.

      • NotExpert

        Hi YesvP, thanks for the answare. You are speaking about “privacy”, “opt in”, ecc..
        Of course there is no question of privacy if “I” made an access to “my” data.
        But I make it simpler: Can I know the last date access to my data? -> (yes) (no)
        If (no) can I know how to delete all my account from Blackblaze and *all my data*? Can you please post a link about this?
        Thanks

        • Hey there – if you have specific questions about your account you’ll need to ping support and ask them -> https://help.backblaze.com/hc/en-us/requests/new. Account information is not something we tend to discuss in public forums! Support can look at your account and try to answer any question you may have about it though!

  • Dmitri

    After clicking on your logo in your email, I got to “http://mktg-backblaze-com/” and of course my browser displayed an error: This site can’t be reached… mktg-backblaze-com’s server DNS address could not be found.

    • That was totally our fault. We were moving really quick b/c we wanted to get the email out. Unfortunately that meant that default tracking was enabled in the email and the logo went to a dead-end. Our bad – and definitely a face-palm moment considering the content of the email. Sorry!

  • wqweto

    Can you get this specific user/pass database and check for passwords reuse in your registered accounts and then notify affected users? Not allowing registration with already leaked credentials (user/pass match) will be another security-in-advance feature.

    Although (Google) Authenticator apps for 2FA is a more urgent feature request IMO.

    • We do not want to disclose the other pieces of activity that we have been tracking, nor some of our specific defensive measures. To do so could pose downstream security risks. Sorry.

      Google Auth or equivalent is a feature we are working on and we are committed to having the option available by August of this year. But, to be clear, SMS based 2FA will remain an option as it’s easy to use and protects users from credential reuse attacks like this one. Having Google Auth or equivalent as an additional option is also important and we are committed to introducing it as part of our service.

  • calmdownbro

    It would be really cool if we could use Authenticator programs on our smartphones. The SMS is OK as an alternative, but I would rather not pay extra for just security/2-FA. Thanks!

    • Good morning! We’ve had it on the roadmap but w/o an ETA for some time and we’re going to get TOTP 2FA implemented by August!

  • Victoria Charles

    Thank you for the update.

    Rather worryingly I fear my account my have been hacked with yourselves.

    As suggested I logged into my account, to change password and set up two step verification.

    I was asked for the two step verification which had been sent to my phone – no code to phone was received and I have not yet set the two step verification.

    I have changed the password I think, but still can’t access my account as I am being asked for the code off my phone which I am not receiving.

    I have sent you an email through help. I fear my account my already have been hacked as I can’t access my details.

    • Victoria – it sounds like there is an issue with getting the SMS message to your device. Support can help you by trying to send it via another provider. If you have the ticket number we can make sure they take a look at it (since you’ve already sent in a request they’ll respond shortly) – but it is likely unrelated to the above.

  • Pingback: Protecting Your Account – Akshaya IT Services()

  • EatMoreDonuts

    Thanks for updating your customers!

    Please be more transparent (why do you think compromised credentials were directed to backblaze, have you identified activities earlier than 72 hours – why did you wait 72 hours to email me?, what protections do you have in place to alert you of abnormal behavior, etc.). Have you identified accounts that were accessed from ip addresses that were never used to access those accounts before?

    Why don’t you have an alert for customers if there is a login from a device that has never been used to access their account?

    I wasn’t aware that you offered two factor authentication until this email. Have you always offered that or was that in response to this?

    I trust you with my data and backups and expect you to be experts to address security issues that could happen. If you aren’t capable of doing that, why would I continue using this service?

    • EatMoreDonuts – Apologies if you feel like we’re hiding anything. Our goal in sending notifications across all channels is the opposite. We wanted to share the information we have…. Specifically, that someone with a large number of user credentials, likely stolen from other websites, has been using them against our site to see if any of them were re-used for our users’ accounts. In sending out our communication, we wanted to remind users that their credentials may have been leaked by OTHER companies and that it is always important to not re-use passwords across services.

      Since our investigation is ongoing, we do not want to disclose the other pieces of activity that we have been tracking, nor some of our specific defensive measures. To do could pose downstream security risks. We discuss some aspects of our security towards the bottom of this page https://www.backblaze.com/cloud-backup.html

      Again, the Backblaze system has NOT been compromised.

      With regard to 2 Factor Verification, that is something we introduced in Aug of 2015 (here’s our blog post announcing it – https://www.backblaze.com/blog/two-factor-verification-for-backblaze/).

      As to our overall security practices, let me provide the context that I am one of Backblaze’s five founders. Our customers trust us with their data – personal, financial, and many things in between. That is a responsibility that we’ve embraced every day for the last 10 years and will continue to do so for as long as Backblaze exists.

      We appreciate you being a customer and hope our commitment to transparency and security earns us your business going forward.

    • EatMoreDonuts – Apologies if you feel like we’re hiding anything. Our goal in sending notifications across all channels is the opposite. We wanted to share the information we have…. Specifically, that someone with a large number of user credentials, likely stolen from other websites, has been using them against our site to see if any of them were re-used for our users’ accounts. In sending out our communication, we wanted to remind users that their credentials may have been leaked by OTHER companies and that it is always important to not re-use passwords across services.

      Since our investigation is ongoing, we do not want to disclose the other pieces of activity that we have been tracking, nor some of our specific defensive measures. To do could pose downstream security risks. We discuss some aspects of our security towards the bottom of this page: https://www.backblaze.com/cloud-backup.html

      Again, the Backblaze system has NOT been compromised.

      With regard to 2 Factor Verification, that is something we introduced in Aug of 2015: https://www.backblaze.com/blog/two-factor-verification-for-backblaze/

      As to our overall security practices, let me provide the context that I am one of Backblaze’s five founders. Our customers trust us with their data – personal, financial, and many things in between. That is a responsibility that we’ve embraced every day for the last 10 years and will continue to do so for as long as Backblaze exists.

      We appreciate you being a customer and hope our commitment to transparency and security earns us your business going forward.

  • Chris Watkins

    Thanks for posting this here. When I received the email, I felt like I needed to make sure it wasn’t a phishing attempt!

    • Chris – Absolutely! We were working quickly to get the email sent out and unfortunately we forgot to turn off the link-click tracking that was on by default for one of our email providers. We apologize for the confusion – certainly not how we wanted that to go out!