What Carbonite Says Happened
Starting yesterday (6/21), the popular cloud backup vendor Carbonite started sending out emails to its users notifying them that they were required to change their passwords for the service. An announcement on Carbonite's website says that they noticed attempts perpetrated by cybercriminals to access users' accounts (and therefore their data) with "email addresses and passwords obtained from other companies that were previously attacked."
Why You Should Change Your Password
This kind of thing is, unfortunately, common. Attackers do make the assumption, too often correctly, that people tend to use the same password for with a number of different vendors. So, if they obtained your email address and your password for, say, Amazon, they could try using that same email address and password to log into another vendor, such as Carbonite. So it is perfectly legitimate and responsible for Carbonite to require you to change your password.
The Mistake(s) Carbonite Made
Assuming that Carbonite has diagnosed the problem correctly, they are not at fault for the initial issue. They detected hackers using stolen emails and passwords from other vendors to attempt accessing users' data, and they did the right thing by notifying their customers.
However, they did not handle the notification process very well. First of all, they notified users of the need to change their passwords via email. As many of the commenters on Carbonite's announcement have pointed out, this is a problem because Carbonite's email contains many of the telltale signs of a fraudulent phishing email: it purports to be from a reputable brand, announces a disaster, and asks users to click a link and enter their password. While Carbonite's email is legitimate, it's also exactly the kind of email that hackers would use to obtain users' passwords fraudulently.
To make matters worse, the password reset mechanism Carbonite has in place once a user clicks the link in their email does not ask the user to verify their current password in order to create a new one. Furthermore, there is no way for users to reset their password via Carbonite's website, which is what we would normally instruct users to do to be sure that they are not the victims of a phishing attack.
Lessons We Can All Learn
First of all, the takeaway from this situation is that, whenever possible, users should use different passwords for different vendors. While it can be tedious to remember a laundry list of different passwords, using a secure password manager can help. Again, this is an important step to take, as it keeps all your other accounts secure in the event that one is compromised.
Secondly, vendors like Carbonite need to come up with better methods of notifying their customers and facilitating password changes. In the event of security notifications, it is good practice to contact a vendor directly or go directly to their website to make changes to your account instead of clicking on links sent in emails. The sophistication of email fraudsters means that this kind of caution is necessary. Vendors, then, need to come up with better processes for facilitating things like password changes, to make sure that users can be absolutely certain they are not the victim of fraud.