Someone hack my TeamViewer account and stole all my passwords saved in browsers!

[ingydust]

Hi,

on May 1st 2016 (at 13:04 GMT+3, Bucharest, Romania) someone hack intro my PC from TeamViewer and stole all my passwords from browsers (IE, Firefox, Chrome, Opera) with a little software called WebBrowserPassView. I was in other room for only 10 minutes and when come back I saw that someone open Amazon pages in browsers (Firefox and Chrome). He quickly loged out from session when I move the mouse. I saw this litlle utility on my desktop with a .txt file with all my password. He/she manage to transfer this .txt file... So it was to late...
I tried to connect to his/shes ID 279 320 949 and display popup with: "Your activity on TeamViewer is suspected to be bussiness (not free)" (something like this... I can't remember exactly, but I'm sure that you know what I'm talking about).
I quickly change all important passwords (gmail, facebook, yahoo, paypal, etc), even on TeamViewer and activate double authentication with code on my mobile.
I searched on the internet about TeamViewer and WebBrowserPassView hack and I found a lot of people were attacket with this method...
I restore entire clean image (bit by bit) of C:\ created 3 months ago to be sure that I'm not having a virus or something, even I'm very sure that I don't have virus (I know what I'm doing).
I'm using Windows XP SP3, AVG Antivirus and Outpost Firewall and I'm connected to internet trough TP-Link Router with security enabled.


Ex from log file (I sent it as support ticket already):
 - File transfer request from IngyDust (XxX XxX XxX) allowed
 - Write file C:\Documents and Settings\Username\Desktop\WebBrowserPassView.exe
- ClipboardFileContentHandlerWin::LogFileTransfer: Transmit file: 'C:\Documents and Settings\UserName\Desktop\grtg.txt' (this it the .txt with all my stolen passwords)

Please help me to find what's going on and who is this hacker (IP, address, email, etc)

Thank you in advance!

PS: After few hours of searching this problem on the internet I found that are MANY pople in this situation. I hope that is not a problem on TeamViewer side (servers security etc). PLEASE HELP!

[matt]

I'm feeling your pain...
Just so that you know, this is NOT official support.
This is a user run forum.

The number of such reports has increased the last few days. Personally, I'm reviewing my use of Teamviewer...

[matt]

Also, make sure that you change your important passwords (banks, government etc) immediately (I'm hoping that you have already done this)

https://www.teamviewer.com/en/company/press/statement-on-ransomware-infections-via-teamviewer/

[ingydust]

I'm feeling your pain...
Just so that you know, this is NOT official support.
This is a user run forum.

The number of such reports has increased the last few days. Personally, I'm reviewing my use of Teamviewer...

Hi, matt! I saw this after few hours of searching... There are many TeamViewer users in this situation.

Also, make sure that you change your important passwords (banks, government etc) immediately (I'm hoping that you have already done this)

https://www.teamviewer.com/en/company/press/statement-on-ransomware-infections-via-teamviewer/

I changed all important passwords starting the first minutes after attack and non-important too.

Thank you very much for your reply!

Now I'm waiting for a official reply on TeamViewer support ticket.

[0plus6]

Same thing here. Happen to catch them trying to steal passwords out of Chrome browser using a small program they copied across called ChromePass. Waiting on TeamViewer ticket response.

[unfortunatevictim]

Man I feel your pain.  In fact I still do, it's turned this once confident PC user into a paranoid sissy. 

5/29/16 @ 5am (computer left running, I'm asleep still) - I get a large purchase through ebay using the linked paypal.  < ok maybe someone got my ebay password, changed that and paypal will reimburse

5/30/16 @ 5am (computer left running, I'm asleep still) - I get ANOTHER charge using the exact same method and means.  < now I begin thinking to myself I have a trojan of some sort and begin scrubbing my pc, which honestly is futile in giving any sort of assurance it worked. 
I also begin removing all saved passwords and information from chrome and transferring them to lastpass, which is a vault of sorts for your login info, that can be tied to a token authentication on your smartphone.

5/31/16 @ 6AM, (computer was on standby, woken up for early morning reading) I notice a teamviewer connection open with my mouse clearly being controlled by someone on the other end.  To my horror I see them try to access my lastpass vault, as my phone is prompting the 2step authentication process.  About that moment I panicked and yanked all computers from the internet and began the teamviewer uninstall process, and immediately changing ALL passwords I can think of.

After settling down and reviewing the teamviewer logs, I think I have their teamviewer ID which I will be forwarding to the authorities. Long story short, DO NOT store passwords in browsers, DO NOT leave teamviewer running unsupervised,  DO use a complex password for teamviewer, and DO setup a 2step authentication process on your teamviewer account.

That guy better pray I never find him... 

[TeamViewer]

Hello,

As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services. We are appalled by the behavior of these cyber criminals. It is important to underscore that TeamViewer account authentication uses the Secure Remote Password protocol, and therefore does not store any password-equivalent data. Protecting your personal data is at the very core of everything we do.

To do our utmost to help you - our users - and to further strengthen the protection of your data against these hijacks of cyber criminals, we are globally rolling out improved security measures.

Please find more information about the measures in our press release under https://www.teamviewer.com/en/company/press/teamviewer-launches-trusted-devices-and-data-integrity/.

Regards,
Fabian – TeamViewer

[HYO1]

Many of these people are yelling at Teamviewer and blaming them but most of them have just joined the mass hysteria. Engaging the brain helps people take responsibility for their own actions in this situation, thus learning something in the process.

Does anyone know how someone from China cracks a password like this used on your Teamviewer account?
6vlJjMFYMbw4qG83mdNh

The answer is that they dont have to. They dont need any systems at Teamviewer other than logging into your account at the end of the process.

They obtain user information from any of the hacks in the past few years, Sony was very seriously hacked for example. Then many companies were hacked to prove a point, protect your customers data better. Nothing really changed. That information is bought and sold on a daily basis.

The hackers visit your email service and log-in. Perhaps using a webmail service if you're using Pop3 or Imap email. Your secret question is available too, this was used in the celebrity scandal to access naked pictures of celebrities. Apple only had one method of authentication in place and celebrities aren't very clever.

Some services have a way to recover your account using the "I dont have access to my email address" prompt others will let you supply information. Some services like Hotmail have flaws in their warnings to customers.


I'm getting off-track, anyway. They gain access to the email account. The settings are changed to redirect your email (Most services like Gmail can do this yet it wouldn't be readily obvious) directing all valid email traffic to another Pop3/Imap/Exchange server in China or somewhere inbetween. You stop getting your emails. People have reported that their emails were all forwarded to a dummy account and then the settings were changed, prior to their money being stolen and spent.

The hackers then go to all of the websites and see if you have accounts through the password reset prompts. They get all of those emails and simply reset your passwords, you're not being notified about any of it.

Unless you've strictly configured Teamviewer locally, if you're using the easy-connect system Teamviewer provides, they have everything they need to access your computer.

My advice is to be careful. If you're affected by this, first make sure you're not infected by anything installed via Teamviewer. Then change all of your passwords and check your email settings are correct.

[HYO1]

Sorry but additionally,

When people try to claim their Teamviewer account back through the compromised email address, The Teamviewer account is reset, but, the reset email is delivered in Chinese language. Teamviewer is sending out emails to those with compromised accounts, that's not going to fix all of this.

I've seen the IP addresses posted and nobody is really surprised, they're pretty much the same as the people that call you trying to have you install remote administration software on your computer. I guess they realised they could do better and skip the calls.