Teamviewer Hacked?

[perfectlemon]

My TV account got compromised, somehow, and the attacker used it to connect to the computers on my list, which were my PC and my laptop. Luckily, I was around when it happened, so I caught him in the process. He was only able to open PayPal and Ebay in a browser, but as I don't have auto login or auto complete for those web sites, he got nothing. This happened yesterday, May 19.

Not sure how he got his hands on my TV account, as I was using a moderately strong password (larger than 8 characters, numbers and letters, lower and upper case), but I do remember getting a weird contact request, which I declined, about one month ago. I think the contact request was from 'kikucqua2' which was also mentioned by another user, in a post above.

[matt]

is it possible that the email address and password combination that you use for teamview logon, is used elsewhere

[perfectlemon]

Yea, it's possible I may have used it in a couple of places. It's a username/password combination I would have used for accounts that I thought were important, but not important enough to deserve a unique password. I don't know why I haven't thought TeamViewer should have it's own unique password, but I changed that now + enabled two factor authentication

[Kadeschs]

This happened to me in the beginning of April. It was a multi-level security failure on my part.

I was woken up at 2AM by a call from a random number (that got through my DND because it called multiple times). Turns out it was the PayPal Fraud department, because someone had made 6 $100 purchases of gift cards on eBay with my PayPal account, and then bought some NCSoft coins as well.

I rushed to my computer, not knowing at the time that I had interrupted someone who was still connected to my computer watching me. I ended up kicking them off when I restarted my PC. At first I thought I had some kind of virus or was phished. It didn't dawn on me it was Teamviewer until I looked at my wife's PC and someone had eBay and PayPal up on that! Then I looked at my logs and saw multiple connections in the past two hours, AND all the history of eBay/PayPal/NCSoft was still in my Chrome browser.

From the Teamviewer logs I can see that they copy/pasted things several times (Including definitely all of my Chrome passwords using WebBrowserPassView, which was still on my desktop). So in addition to making purchases from my computer and from my PayPal account, they took all my passwords (400 or so.. I ran it myself to get the list to fix).

Was my Teamviewer password secure? I thought so. I may have used it on a few other sites. But I did not have two factor authentication turned on (I do now), I did not have passwords on my home PCs (it's only my wife and I, so I didn't see the need. But I do now), and I had all my passwords saved in Chrome (never again). I also had unattended access set up with no passwords required.. I still do actually.

I was also luckily able to get all the charges reversed.

The weird thing is ever since then I am getting at least two random contact requests on my Teamviewer account a week.. probably not good.

Whether my credentials used on Teamviewer were compromised somewhere else and tested, or my Teamviewer account itself was stolen somehow, I don't know. But that wasn't a good situation. I do see today that there are reports of 270 million account credentials from various places being passed around, I am really curious if Teamviewer is in there.

This all happened the exact same way to me yesterday around 3:47am EST.  I too have been getting random contact requests for the last couple of months (never did before).  I didn't actually catch him until around 7:30am EST when I logged into TeamViewer to the home computer from work and saw him going to town on my computer.  The hacker had gained access to my computer in stealth mode, accessed my Firefox browser, and proceeding to buy hundreds of dollars of Amazon and iTunes cards from eBay and 4000 Bitcoins from NCSoft using my PayPal account.  He was buying cards that had redeem codes emailed to my email account right away.  Luckily my wife was home and was able to close TeamViewer and shut down my computer.

I spent all day calling banks, PayPal, eBay attempting to canceling transactions, reporting fraud, and filing a police report.  This has caused me to cancel all of my credit cards and get new ones issued leaving me in a bad situation.  I also went through and changed passwords to websites, etc.

I so very sad to say that while I absolutely love this software and used it daily (esp. when I'm out of town on business for weeks at a time), too much damage has been done now to allow it to reside on any of my computers.  I have completely uninstalled it and will never feel comfortable enough to use it again.

I just wanted to post this here so others using this software are properly informed.  Take the necessary precautions to keep your data safe and never assume that this software is 100% secure.  Don't have browsers remember your passwords and have your computer on the lock screen when left unattended.

[Danl]

Let's not forget that there are TWO passwords that should be secure. Your personal password for unattended access (combined with your TV ID) will allow someone to get in to one computer. But your TV account password and e-mail address gets them into EVERYTHING. All your computers. I think it's that second password that is really the most critical, and should be designed with care and a lot of characters.

[Kadeschs]

Let's not forget that there are TWO passwords that should be secure. Your personal password for unattended access (combined with your TV ID) will allow someone to get in to one computer. But your TV account password and e-mail address gets them into EVERYTHING. All your computers. I think it's that second password that is really the most critical, and should be designed with care and a lot of characters.

So with that, I guess my real question is did they really guess correctly my fairly sophisticated password or did they hack the software in some way to not only gain access but do so in almost complete stealth mode?  It seems fishy that I suddenly have been getting contact requests.  If someone accepts the contact add request, do they have the ability to see account passwords?  It also must have been my TV account that they got access to as they successfully accessed all my of my computers in my account.

[Danl]

You might have spyware on your machine. I've run into several PCs that had spyware cranking away. At the least you should run Anti-Malware.

[ERS]

in regard to these hacking episodes, Teamviewers stance is that this is user error and or complacency, which i tend to think it is:
Regardless i think users need to tighten down their security:
https://www.teamviewer.com/en/company/press/statement-on-potential-teamviewer-hackers/?utm_source=Facebook&utm_medium=social&utm_content=statementonpotentialhackers&utm_campaign=Social&pid=social_Fb


Statement on Potential TeamViewer Hackers

 

Göppingen/Germany, May 23, 2016. A recent article warns, “TeamViewer users have had their bank accounts emptied by hackers gaining full-system access”. TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side. Therefore TeamViewer underscores the following aspects:

    Neither was TeamViewer hacked nor is there a security hole
    TeamViewer is safe to use and has proper security measures in place
    Our evidence points to careless use as the cause of the reported issue
    A few easy steps will help prevent potential abuse

Ad 1.) As always when we receive alerts about potential security alerts, we look at the issue at hand. This is what we have done in this case: There is no evidence to suggest that TeamViewer has been hacked. Neither do we have any information that would suggest that there is a security hole in TeamViewer. Therefore it it is important to stress there are no TeamViewer hackers, but rather data thieves that will steal information from other sources. It is critical to make sure attention is not diverted from the real issue.

Ad 2.) TeamViewer is safe to use, because TeamViewer has proper security measures in place including end-to-end encryption to prevent man-in-the-middle attacks, anti-brute-force means, and more. Additional information about TeamViewer’s security is available at: https://www.teamviewer.com/docs/en/TeamViewer-Security-Statement-en.pdf

Ad 3.) Unfortunately, users are still using the same password across multiple user accounts with various suppliers. While many suppliers have proper security means in place, others are vulnerable. The latter ones tend to be targeted by professional data thieves. As TeamViewer is a widely spread software, many online criminals attempt to log in with the data gained from compromised accounts (obtained via the aforementioned vulnerable sources), in order to discover whether there is a corresponding TeamViewer account with the same credentials.

Storing or caching of account credentials in your browser is yet another example of careless use. The security means to protect such sensitive data do not suffice to guarantee an acceptable level of security. Additionally, cybercriminals may use certain tools to identify and visualize sensitive data in the browser.

Ad 4.) TeamViewer encourages users to …

    … create different passwords for each account
    … not share your passwords.
    … change passwords regularly.
    … not use personally identifiable information for passwords.
    … use two factor authentication: https://www.teamviewer.com/en/help/402-How-do-I-activate-deactivate-two-factor-authentication-for-my-TeamViewer-account.aspx
    … use password safes.

More information about these recommendations are available at:
https://www.teamviewer.com/en/company/press/teamviewer-brings-about-rule-of-five-to-celebrate-world-password-day/

The TeamViewer support team is happy to answer any potential technical issues or queries at:
https://www.teamviewer.com/en/support/contact/submit-a-ticket/

TeamViewer recommends that users who have been the victim of criminal activities get in touch with their local police departments, in order to report their case. This is particularly important because TeamViewer is subject to very strict data protection and privacy regulations, and can release sensitive data only to authorized individuals and authorities.

 
About TeamViewer

Founded in 2005, TeamViewer is fully focused on the development and distribution of high-end solutions for online communication, collaboration and remote monitoring of IT systems. Available in over 30 languages and with more than 200 million users worldwide, TeamViewer is one of the world’s most popular providers of remote control and online meeting software. airbackup, a powerful cloud-based backup solution, and ITbrain, a valuable remote monitoring, anti-malware and IT asset tracking solution, complement TeamViewer’s product portfolio.

For more information, visit: www.teamviewer.com
Follow us on Twitter at @TeamViewer and on our blog at blog.teamviewer.com.

TeamViewer GmbH
Jahnstr. 30
73037 Göppingen

[Tranquil]

Same happened to me this Weekend and I can really not don't how it worked. This is what happened:

On 28th of March someone send me an TV Invitation which I ignored. (Do not check that mail account very often)
On the night  of the 29th someone was able to login to my TV account, which had 3 computers in the list. My Home Server is online 24/7 so the guys were able to connect to it.
Unfortunately, my system was not locked so they opened Chrome. Chrome is connected to my Google Profile where I stored some passwords. (Bad Idea I know)

They tried to buy some iTunes and X-Box Premium codes on Amazon, but Amazon denied this and locked down my account.
After that, they tried to gain access to the email account, which is assigned to PayPal, without success. Then they logged on to PayPal and made 10 transaction of around 2000$.
PayPal told me on phone, that I will get back that money soon - it is also now confirmed by Mail by PayPal.

Honestly, I don't have a clue how they find out my login credentials. On my Server, there was only a instance of Emby and DVBLogic running together with TV. Other Software installed: Chrome and TotalCommander. Avast as AntiVirus Service.

Reinstalled all my Systems and now using two factor authentication where it is possible, changed passwords on nearly all plattforms. BTW, I had a strong alphanumerical and long PW.

[AZEXPLORER]

This happened to me last night at about 7:00 PM MST. I was at my laptop. TeamViewer was launched and in the lower right corner of my taskbar, but I was not connected to anyone.

My Firefox browser was already open, but I was not actively doing anything on my laptop at the time.

I was on the phone, and my laptop was just sitting in front of me.

I suddenly noticed movement and a flash of activity and I saw TeamViewer connect.

Then someone started moving my mouse around, and went directly to Amazon, and then to PayPal. Then just about as abruptly as they connected to me, they disconnected. This all happened in a matter of less than a minute.

I cannot tell if they did anything else, or if this is the only time they tried to connect to me.

I usually have TeamViewer open and in the lower corner of my taskbar.  I won't be leaving TeamViewer open anymore.

Anyway, my passwords were not highly secure, and I understand that that is my fault, but that does not explain why this is happening to so many people - people who have pretty secure passwords, so I am not so quick to just dismiss this as being my fault. There seems to be something else at play here.

I looked through the TV logs on my hard drive, but I am not really sure what I am looking for.

While looking through other things last night, I noticed that I did get a contact request from "jdkyle" and it was just sitting there.  I hadn't even noticed it until all of this happened last night and I started looking through everything.

I use LastPass and I hope they were not able to steal any of my stored passwords.   

I went to change my TV password and the verification email that I got was in Chinese. That was when I knew there was a serious problem.

I am worried because there are people reporting this happening to them who say they had STRONG alphanumeric, LONG, passwords, so there is more to this than just dismissing it as me having a lax password.

I hope TeamViewer Support sees that there is a trend here.

I have never come to the forums, and almost didn't. So, I wonder how many people this is happening to who are not reporting it. The is the tip of the iceberg.

Thanks for any help.

[unfortunatevictim]

Just copying this from another thread.  Ultimately I blame myself for the manner in which I used it (PC on overnight and TV left running) but my password was NOT overly simple, so I still don't understand how my account was compromised and think it's worthy being looked into.
-----------------------
Man I feel your pain.  In fact I still do, it's turned this once confident PC user into a paranoid sissy. 

5/29/16 @ 5am (computer left running, I'm asleep still) - I get a large purchase through ebay using the linked paypal.  < ok maybe someone got my ebay password, changed that and paypal will reimburse

5/30/16 @ 5am (computer left running, I'm asleep still) - I get ANOTHER charge using the exact same method and means.  < now I begin thinking to myself I have a trojan of some sort and begin scrubbing my pc, which honestly is futile in giving any sort of assurance it worked. 
I also begin removing all saved passwords and information from chrome and transferring them to lastpass, which is a vault of sorts for your login info, that can be tied to a token authentication on your smartphone.

5/31/16 @ 6AM, (computer was on standby, woken up for early morning reading) I notice a teamviewer connection open with my mouse clearly being controlled by someone on the other end.  To my horror I see them try to access my lastpass vault, as my phone is prompting the 2step authentication process.  About that moment I panicked and yanked all computers from the internet and began the teamviewer uninstall process, and immediately changing ALL passwords I can think of.

After settling down and reviewing the teamviewer logs, I think I have their teamviewer ID which I will be forwarding to the authorities. Long story short, DO NOT store passwords in browsers, DO NOT leave teamviewer running unsupervised,  DO use a complex password for teamviewer, and DO setup a 2step authentication process on your teamviewer account.

That guy better pray I never find him... 

[AZEXPLORER]

I read a post in this thread that TeamViewer administration dismisses these kinds of problems as "user error and complacency", however I think they are very, very foolish to not take a closer look at their own database or whatever because I do not think this has anything to do with "user error and complacency".

It is like with the Tylenol scare years ago .... you can only deny things for a certain period of time, then it is in the best interests of YOUR company to take a closer look to see how YOU might be responsible for the breach and then take swift action to resolve it. Otherwise, your company will never, ever recover from the bad publicity it causes.

I can tell you that after what happened to me the other night, I will NEVER recommend TeamViewer to my corporate clients. This is a sad day indeed. I have been using TeamViewer for many, many, many years. I am now going to uninstall it and look for another solution to my needs. I will contact the small businesses I have recommended TV to and suggest that they change to another product.

[crr]

just posted in another thread, but im in this situation as well

my account has been comprimised by someone from china and im now at a loss of voer $3000 from paypal which they wont give back as they cant prove my paypal account was hacked as it was from my own computer.

Teamviewer really needs to recognize this now as there is more and more people getting done by this

[Tranquil]

As stated above, I also got hacked and approx 3000 Euro are stolen from my PayPal account.
I called PayPal asap by phone and told them what happen. They also told me that all payments have been made from my computer and needs to be investigated first. The women on phone directly told me, that she is 100% sure that I get my money back. Within the next 24 hours I got many Emails by PayPal confirming me the refund.

Anyway, if PayPal would not refund I also have the 2nd option to reject all the payments at my bank.

[crr]

Tranquil

My bank rejected the payment but PayPal said to me if they don't find anything to prove it was a hack then I owe them $3700

Let's hope with all these coming through they acknowledge the issue.

Do you have an account on the team viewer website that you can check if there were unauthorised logins around that time?