Over the last 72 hours, our security team has noticed an increase in automated attempts to log into our users’ accounts using credentials stolen from other websites. To protect your account, we recommend that you:
NOTE: The Backblaze login database has not been compromised—the credentials were stolen from other sources.
Regrettably, we live in an era where companies have been breached and their customers’ credentials have been leaked—Dropbox, Adobe, and LinkedIn are just a few, high profile examples. What happens in these attacks is that the attacker acquires “the Dropbox list” and simply tries those usernames and passwords on another site. If your credentials were leaked in one of those hacks and you used the same username/password combination to sign up for other services (such as ours), you are vulnerable.
While we have a number of methods in place to thwart nefarious attacks, there is a limit to what we can do to prevent someone from signing in to an account with a valid username and password. We are sending this message to you today because we know that some of our users’ credentials are in these stolen lists.
Changing your password now ensures you’re not using a password that was previously leaked. Adding two-factor authentication provides an extra layer of security and protection if credentials end up on one of these lists in the future.
Chief Cloud Officer