Citrix site now states that the break-in was from "credential stuffing" attack not a hack, not phishing:
"There has been a constant increase in internet-account credential (usernames and passwords) theft, and, since those same credentials are often used to access other accounts, we have seen a commensurate increase in credential stuffing attacks. To help our customers protect their data, we are requiring a password reset and will be incorporating a regularly-scheduled, password reset into our normal operating procedures. Users will need to reset their passwords when logging into ShareFile. We do not believe that this issue resulted from a compromise of our systems. We believe this is an important step to continue to help our customers use our solutions securely. For more information, please refer to our blog."
From Wiki: "Credential Stuffing attacks are made possible because many users will reuse the same password across many sites with one survey reporting that 81% of users have reused a password across 2 or more sites and 25% of users use the same password across a majority of their accounts[3]."
It's plausible that some of my clients reused their credentials from other sites.
Would seem that multi factor authentication would have protected those accounts where people reused their credentials from other sites that had gotten hacked.
But in true successful hack of a site, wouldn't the multi factor code have gotten compromised also?
(Meanwhile turning on two factor authentication for my clients has broken upload alerts to them from ShareFile...