TeamViewer users reporting unauthorized access, hack suspected

Several TeamViewer users have reported unauthorized access over the last few days, leading some to suspect that the remote connection company has been hacked.

The unauthorized access reports started showing up on Reddit around the same time that the company suffered possible DNS issues that triggered an outage lasting for several hours.

In some cases, those users reporting the incidents on Reddit say their PayPal accounts, as well as Amazon accounts were raided – after the unauthorized user took advantage of stored credentials in the browser to conduct transactions. Other users are reporting instances of webmail compromise using the same process.

One user, Eric1084, reported on Tuesday that when he sat down at his computer his mouse started to move on its own.

“When I sit down on my chair, I saw my mouse is moving across the screen. Of course, I immediately revoked remote control, and asked who he is. At that point, he disconnected, and attempted to connect to my Ubuntu server, which have all my backups. Good thing I connected to it right after he remote into my workstation, and noticed what he is trying to do. I revoked his permission before he tries to open Firefox.”

In some cases, the hacking reports are cases where TeamViewer was left unattended, or wasn’t protected with a strong access password or two-factor authentication. These cases mirror those from around May 23, when TeamViewer issued a statement blaming the users for the reported incidents.

Wednesday afternoon, on Twitter, a PR agent for TeamViewer mirrored those statements when questioned about the latest reports. [Mirror]

The May 23 statement reads in part:

“TeamViewer is appalled by any criminal activity; however, the source of the problem, according to our research, is careless use, not a potential security breach on TeamViewer’s side.”

The statement goes on to state that users need to avoid password reuse, and to use two-factor authentication.

It is entirely possible, given the recent flood of hacked social media accounts, that TeamViewer wasn’t hacked directly. People leave TeamViewer open to public connections all the time; it’s almost as bad as VNC.

An installation using shared, weak, or no passwords to protect the account at all, combined with a lack of two-factor authentication, becomes a ticking bomb of a disaster – as one recent report clearly demonstrates.

But the company hasn’t addressed the recent reports of unauthorized access – other than directing the public to the May 23 statement, and little is known about the outage they experienced earlier today. Moreover, some users on Reddit are reporting unauthorized access in cases where two-factor authentication and strong passwords existed.

These gaps are the reason why users and security professionals have taken to assuming the worst.

Salted Hash has reached out to TeamViewer for comments and additional details. We’ll update this story if new information becomes available.

Update: No word from TeamViewer, but on Reddit (hat tip to CoolAcid for pointing it out) someone posted a copy of a TeamViewer log file from a recent unauthorized access.

Update 2: TeamViewer issued a statement on the outage and unauthorized connections.

“TeamViewer experienced a service outage on Wednesday, June 1, 2016. The outage was caused by a denial-of-service attack (DoS) aimed at the TeamViewer DNS-Server infrastructure. TeamViewer immediately responded to fix the issue to bring all services back up.

“Some online media outlets falsely linked the incident with past claims by users that their accounts have been hacked and theories about would-be security breaches at TeamViewer. We have no evidence that these issues are related…”

The statement also reminds users to not reuse passwords across multiple accounts, and says that issues such as those being reported could be related to malware infections, as “once a system is infected, perpetrators can virtually do anything with that particular system.”