Citrix Denies Reports of User Data Being Sold on Dark Web


About a year after it revealed of a massive data breach that exposed the personal information of its employees, American software giant Citrix has once again made it into the cybersecurity headlines, this time to rebut the reports circulating online that data of 2 million of its users are being sold on the dark web.

In a blog posted Tuesday, Fermin Serna, Citrix’s chief information security officer, said the company is aware of reports circulating online about a threat actor claiming to have compromised Citrix’s network and threatening to launch a ransomware attack.


“Last week a threat intelligence report circulated concerning claims made on the dark web by a threat actor alleging compromise of the Citrix network, exfiltration of data, and attempts to escalate privileges to launch a ransomware attack,” Serna wrote.

Citrix Denies Reports Data Being Sold on Dark Web

Specifically, on a tweet posted by Under the Breach on Wednesday, a threat actor alleged to have hacked Citrix and is currently selling a database containing information on its 2 million users in exchange for $20,000. According to reports, among the information present in the database include the full names of victims, phone numbers, email addresses, company names, as well as physical addresses.


“Citrix continues to investigate those claims; however, we have no evidence that the threat actor compromised the Citrix network. Rather, all the evidence thus far indicates that the source of the data referenced in the intelligence report is a third party,” Serna revealed.

According to him, while the impacted third party does possess some Citrix-related data, the compromise of this third party’s network won’t still provide hackers the access to the Citrix network, as the third party firm only has access to Citrix’s “low sensitivity business contacts.”

“This third party has been cooperative and responsive to our questions and direction and has taken immediate action to isolate from the internet any Citrix related data they may have,” Serna noted. “Once that action was complete, the author of the threat intelligence report reported that the threat actor’s unauthorized access was terminated. The third party is now conducting its own investigation and remediation, and is committed to keeping Citrix advised of any developments, and Citrix is ready to assist as necessary,” he continued.

In terms of the more recent claims that Citrix data are currently up for sale on the dark web, the chief information security officer clarified that the current investigation indicates that “the source of this data is the same third party referenced above.”

“Citrix will continue to work with this third party during its investigation lending support as necessary, as well as ensuring all appropriate disclosures are made,” Serna concluded.