Return to site

Citrix Data Breach: And it Continues

In late 2018 Citrix SHAREFILE implemented a mass password we predicted, there's more to it than meets the Public Statement



In late 2018 Citrix SHAREFILE pushed a big red button that caused existing SHAREFILE accounts to go into a pending Password Reset state. The behavior immediately sent up red flags at NS.BC and we created a calculated plan to assist our clients with securing SHAREFILE accounts.

The official statement from Citrix: " the course of our ongoing security monitoring, we saw incidences in ShareFile that had some of the characteristics of credential stuffing. After further analysis, we became very concerned that indeed perpetrators were using credentials obtained from breaches unrelated to ShareFile to attempt to gain access to individual accounts."


I have taken to referring to recent years as The Duck Years because: If it walks like a duck and talks like a duck, then it's likely a duck.

Continual information releases, our deep-dive investigations and data gathering has led us to deduce that the mass password reset of 2018 may have been in response to more than data gathered in relation to "credential stuffing," as was stated in the official Citrix Release. Recent findings in a report made by the FBI shows that only a few weeks after the the password reset, Citrix's internal network was compromised by a group with a history of working to retrieve sensitive government documents. It should be made clear that Citrix offers SHAREFILE GOVERNMENT, a FedRAMP SaaS solution. The government offering by SHAREFILE, all-but-guarantees that sensitive government documentation is stored in the SHAREFILE ecosystem. It can be concluded that by offering secure storage to government agencies, additional parties utilizing the same or branches of the same systems becomes an unintended target. Any collateral (business, proprietary, PII documents) belonging to unintended victim users or organizations would be the unintended spoils of such a breach.


Citrix has publicly stated that they have not identified any tie between the "credential stuffing" password reset protocol initiated in early December, 2018, and the internal network hack that occurred over the Christmas Holiday, 2018, as reported by the FBI. Coincidence assumes chance. Technology does not. Technology is binary. Something is either on or off, a 1 or a 0. There is no coincidence in programming, development or operation of technology. It stands to reason that when informational reports compiled and compared with data from the same or similar events, that there is a correlation.

The security stock which we had put in SHAREFILE as a secure storage location has plummeted. It is now up to the end-user or client firm to make the following choices:

  • What is the value of the data stored at SHAREFILE?
  • Does the cost of data leak or compromise outweigh the cost of a (potentially) major infrastructure change [moving to a different secure storage solution]?
  • Where is the confidence level in SHAREFILE with regard to honesty and transparency and how does this shape future security concerns and they in which they are handled by this service provider?

NS.BC offers and administers alternative solutions that has long employed the use of multi-factor authentication and intelligent behavior analysis in order to protect data stored in cloud environments. Multi-factor Authentication was a late add to SHAREFILE and we are still unclear if intelligent behavior analysis is being employed by SHAREFILE, as it pertains to account activity.

If you are interested in an alternative solution please feel free to submit a support request.