Many users have complained that their computers were accessed by hackers via the popular remote access and support tool TeamViewer, but the company says its systems have not been breached.
Users reported on Reddit that their computers were remotely accessed through TeamViewer by unauthorized parties who attempted to steal money from their PayPal accounts and purchase various items on eBay and other websites. The attackers are accessing victims’ accounts through their web browser, which is often configured to remember credentials for commonly used online services.
Many assumed that TeamViewer was either hacked or someone identified a serious vulnerability in the application. However, the vendor has ruled out both these scenarios, saying that the attackers are most likely leveraging leaked passwords and counting on the fact that many people use the same password across multiple websites.
Password reuse could be the cause of these attacks. Hackers recently leaked hundreds of millions of credentials stolen a few years ago from LinkedIn and Myspace, which has led to a surge in account takeover attempts. Reddit reported last week that it had reset the passwords of 100,000 users over a two-week period after detecting unauthorized access.
TeamViewer is pointing to password reuse, which is entirely possible given the recent big breaches https://t.co/I8fnJUMpdb
— Troy Hunt (@troyhunt) June 1, 2016
“TeamViewer is safe to use, because TeamViewer has proper security measures in place including end-to-end encryption to prevent man-in-the-middle attacks, anti-brute-force means, and more,” TeamViewer said in a statement.
“Unfortunately, users are still using the same password across multiple user accounts with various suppliers. While many suppliers have proper security means in place, others are vulnerable. The latter ones tend to be targeted by professional data thieves,” the company added. “As TeamViewer is a widely spread software, many online criminals attempt to log in with the data gained from compromised accounts (obtained via the aforementioned vulnerable sources), in order to discover whether there is a corresponding TeamViewer account with the same credentials.”
TeamViewer has advised users to set strong, unique passwords and enable two-factor authentication (2FA) on their accounts. However, a handful of users have reported getting hacked via TeamViewer even with 2FA enabled. On the other hand, some have confirmed that their passwords were exposed in the recent Myspace and LinkedIn leaks.
TeamViewer also experienced a service outage on Wednesday and some users assumed it might be somehow related to the attacks. However, in a statement sent to SecurityWeek, the company clarified that the outage was caused by a DDoS attack aimed at the company’s DNS servers and it has nothing to do with computers getting hacked.
It’s not uncommon for malicious actors to use TeamViewer in their operations. The remote access tool has been used over the past years by both APT actors in cyber espionage operations and profit-driven cybercriminals. Researchers reported last week that a backdoor has been abusing TeamViewer to load a malicious library on infected devices.