New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Teamviewer is (Possibly) hacked. Be careful. $1000+ has already been stolen from several users.
"Users are reporting breaches, and thousands of dollars have been stolen with the client, all over /r/teamviewer and at their support Twitter account. TV is blaming users with reusing passwords, yet users with 2FA and unique very long generated passwords were hacked."
Everything can be found here; https://www.reddit.com/r/technology/comments/4m7ay6/teamviewer_has_been_hacked_they_are_denying/
This is teamviewer's statement: http://www.teamviewer.com/en/company/press/statement-on-service-outage
Thought I'd spread the word since it's very serious and could cause a lot of damage, especially if you're running them on multiple computers.
Comments
Dammit. This is a very serious problem
I've been keeping an eye on this. It would seem that it affects just those who have a TeamViewer online account with no 2FA enabled. You can read a lot of hacked cases here: https://www.reddit.com/r/teamviewer/comments/4m6omd/teamviewer_breach_masterthread_please_post_your/
Most (if not all) of them had online accounts and no 2FA.
Pretty much anywhere you read about this, including this thread, people claim that even those with 2FA and even those using white-listing of IDs have been affected, yet I kind of doubt that's the case.
I have several places where TV runs 24/7, with no online account and with white-listing of just a handful of IDs... none of these places were exploited.
Thanks for the input!
I was just editing my post when you quoted me, I wanted to add the following:
Even though the clues point to my conclusion from the last post, I still went ahead and shut down TV on the more important places, for now at least, until the air clears, considering TV team looks very suspicious, guilty and weird about this entire situation... and they are denying everything. So, you never know. I'd urge everyone else to do the same, just to be safe.
I've read over a fair amount of it and, to be honest, it sounds to me like this could go either way. Obviously, everyone should take appropriate action and maybe even close down TeamViewer pending further information. However, I'm not convinced that they have been compromised here.
A lot of the comments seem like hype perpetuated by these "me too" comments where everyone is saying "Oh yeah I have TeamViewer too and I've also been compromised." How quickly one very common application can become a scapegoat for other security failures. I'd bet 100% of compromised Windows users have Notepad as well.
I propose it's more likely that someone has just now launched a large-scale attack on TeamViewer accounts using databases from other compromises. Otherwise the majority of the reports read like "I've been compromised too, and I have TeamViewer, therefore TeamViewer was compromised."
One user claimed to use 2FA on "almost everything" and did not clearly state that something behind two-factor authentication was compromised. I've seen only one report making the direct claim that TeamViewer behind 2FA was compromised, and that is not enough for me to jump to the conclusion yet.
@jarland, Yeah, that's what I was thinking off, hence why Teamviewer still claim's they haven't been breached. Anyway I'm personally keeping it closed (Like I had anyway) till more info is released. I've also put (possibly) in the title to not let people jump to conclusions.
I think the security breach is at the fault of TeamViewer. My rather tech savvy friend was hacked early morning a few weeks ago, and his TeamViewer password was unique to only TeamViewer and generated to pass even the most rigorous password policies (20+ char length, symbols multicase etc..). I find it a Little interesting as to how that password could have been brute forced or stolen from an alternative database...
We could be talking about different attacks here, as I've also read articles claiming that a flash update virus downloaded and installed TV onto victim computers, so if your friend already had TV that didn't prevent another installation from such a virus, and then he'd blame TV for the breach.
Quite possible. I'd just strongly recommend anyone compromised not throw all of their eggs in one basket just yet. Correlation can lead you down the right path, but confirmation is what helps you prevent the next compromise.
He runs TeamViewer for personal remote access and isn't on Windows..? Also a chrome user with flash disabled?
I totally agree, I just feel like in his use case it is quite apparent what the origin of the attack was.
Under those circumstances, probably not the flash update virus I mentioned.
Did he have a TV online account at the time? 2FA active on that account?
He did have his account online and idling, and he did not have 2FA. Just the long generated password.
Thank god i disabled teamviewer background services and only turn it on when i need to connect, its kinda memory hog ;p nothing happened i check the logs.
I didn't mean if he had his TV opened on his PC at the time, I meant if he had/has an account on the TV website, where your IDs and easy access (aka password-less access) get saved.
Recently I've been getting a few legitimate emails from Teamviewer from people asking to be added to my contacts list. I've never received these before last week. Is it related?
I believe from what I was seeing, these were possibly fishing expeditions to see who had valid IDs or not. Basically like checking a card card for validity.
Here, many people download TeamViewer from non-official sources.
Once, someone used to say that it's a way to spread CryptoLocker...
For any software, not just TV specific... if you're nieve enough to download software from some random website, you kind of deserve to get screwed over..
Wow, I didn't even know there was 2FA on TeamViewer.
For anyone that wants to disable TeamViewer, this is what I did:
I'm going to be a bit wordy, in case if someone who doesn't know what they're doing can still follow along.
Right click tray icon for TeamViewer > Options > Advanced > Show Advanced Options
Under the section that says "Advanced Settings for Connections to this Computer"
Set "Access Control" == "Deny Incoming Remote Control Session"
On your keyboard, Windows Icon + R (or Start > Run)
Type in "services.msc"
Single Left-Click Anywhere on on the list of items on the right.
Hit the letter "t" on your keyboard.
Scroll down a bit to find "TeamViewer #" (where # is the version # you have)
Right Click > Properties > Click "Stop"
Slightly above, change "Startup Type" == "Disabled" > Apply > OK
Close the "Services" window
Hope this helps anyone that has it running on the computer
Edit: added extra spaces, because Markdown moves the #'s to be on same lines for some reason
Never understood why someone is using 3rd party service for remote connection, when there are so many forks of VNC...
because teamviewer really easy to use. It just works
So. Is it enough to activate 2fa?
Even with remote access software, don't people lock their computers when they go away? Teamviewer automatically does that for me when I close a session, but file management still works.
I'm not so sure there is a security issue with teamviewer, but I've stopped using it for now on my devices. Back to x2go and RDP over VPN for me!
Whoa, it's just a while ago my boss ask me to check TV license to buy.. i guess i'm going to pending this.
About ~4 months ago I had setup a brand new teamviewer account for various Virtual Machines (honeypots)- Strong password etc. One night I noticed the teamviewer login to one of the virtual machines - chinese username, web interface language set to chinese.
Account had never been leaked, freshly created. Time from install to comprimise was about 2 weeks.
My TeamViewer was actually compromised, I came home one afternoon early in April around the 10th or so, I believe to my browser minimized, when I reopened it I was at the PayPal login.
Go back a few steps and it was on eBay trying to buy some $100 iTunes cards. Fortunately, I refuse to store banking/payment info on my PC so they got nothing out of me.
TV had a 24 character unique password, no 2FA (because I had never thought to check and see if it was even available). The IP that dinged me was a residential Hong Kong address.
Also had the password viewer program on the computer as well, so that was fun changing the other stored passwords.
How you can check the IP via teamviewer lol?
Am I right to assume that if you don't run TV as a service - so launch on demand and don't have a TV account - you should be ~ safe ? (if it's proven that they got hacked) as from what I read it seems to happen on accounts.
Teamviewer keeps logs that you can check, it contains IPs.
C:\Program Files\TeamViewer\VersionX\Connections_incoming.txt