Carbonite Security Update: Heartbleed

by Megan Wittenberger | Apr 14, 2014

As you may have seen in recent news, a major vulnerability has been exposed in OpenSSL, a popular web encryption software used widely across the internet. This vulnerability – dubbed Heartbleed – makes it possible for hackers to access information transmitted from your computer even though it is being encrypted via the HTTPS protocol. 

Data privacy and security is of the utmost importance to us. Here’s some information about how Carbonite has been affected by Heartbleed, and what – if any – steps our users need to take.

Carbonite Personal and Pro are unaffected
Carbonite Personal and Pro subscriptions do not use the affected encryption software. Your personal data was never at risk. With Carbonite’s Personal and Pro subscriptions, your data is protected by the following safeguards:

Encryption: Your data is encrypted while on your computer and securely transmitted to our data centers, where it stays encrypted.
Data centers: Our state-of-the-art data centers are guarded 24/7, employ temperature control and biometric scanners, and have backup generators in the event of a power disruption.
Third-party compliance audit: We recently completed a six-month audit with an outside firm to ensure all of our practices meet the strict federal guidelines of HIPAA and SOC 2. The external auditor found that we met or exceeded the requirements.

If any of your other online vendors has been impacted by Heartbleed and you use the same password as you do for Carbonite, we recommend changing both passwords. Your Carbonite password should only be used for our service, and data security best practices state that a password should be at least 10 characters, with capital letters, numbers and symbols.

Carbonite Sync & Share and Server backup are affected
We are using the affected software for Carbonite Sync & Share and Carbonite Server backup. Carbonite has not experienced any signs of exploitation as a result of this widespread internet vulnerability, and we have taken immediate steps to remediate the vulnerability and obtain new encryption certificates. These two steps provide full resolution of this issue, however to ensure you are fully protected, we recommend you change your Carbonite password. We are currently in the process of obtaining new security certificates, and will send an email to all Sync & Share and Carbonite Server backup users when it's been completed so they can change their passwords.