""Unless there is reason to believe a password has been compromised or shared, requiring regular password changes may actually do more harm than good in some cases.""
I'm guessing Citrix have downloaded one of the many available leaked credentials databases from the web (they are there if you look), and ran a comparison against their existing database, and found X% of matches. They've probably also worked that if an attacker starts at a and ends with z it will take Y weeks until the first account is hacked and Z weeks until the matches all are, so password change all round.
I say I'm assuming cos that's exactly what I did with one of the systems I look after and a forced urgent password change was undertaken in a race against the hackers. Every time a new leaked database is made public, rinse and repeat.
I heartily recommend people to have a nosey at https://haveibeenpwned.com/ and change their password if appropriate.
Biting the hand that feeds IT
