There have been a few media stories recently about a hack of the Citrix corporate network, which originated with a threat actor gaining access to a Citrix marketing content management server. I want to address this issue for our customers, and for the industry, to clarify some items.

A threat actor has said he gained access to a single server used to stage content for the GoTo family of web sites, a server configured for easy access to web site content and marketing campaign materials. The content management server under question did not contain any customer, employee or other sensitive or confidential information. 

Although the content management server allowed anonymous access to content, anonymous access is insufficient to write metadata changes to production. Claims that a threat actor could modify production web site content, web server configurations, or access internal Citrix systems are not factual. The server has been reconfigured, and administrative passwords have been changed.

Also, I want to clarify some confusion concerning ShareFile. While in this outwardly facing content management system, the threat actor identified a password to a ShareFile account which contained previously disclosed images and other marketing materials. Related, the threat actor identified an application programming interface token for the read-only rights to this ShareFile account. Again, no customer, employee or other sensitive or confidential information was exposed, and this old, unused ShareFIle account has been disabled and the read-only API key to this account revoked.

Finally, we have no evidence that this threat actor has accessed systems other than the single content management server. We will continue to monitor the environment for unauthorized access and changes.

Thank you,

Stan Black
Chief Security Officer