
TeamViewer confirms number of hacked user accounts is “significant” - TheGuyWhoCodes
http://arstechnica.com/security/2016/06/teamviewer-says-theres-no-evidence-of-2fa-bypass-in-mass-account-hack/
======
dovdov
"We want to sincerely apologize to all users who took offense at our choice of
words, particularly the "careless use" thing we published in several of our
statements. We never meant to offend anyone."

"It's really important to understand that TeamViewer is a tool that needs to
be used sensibly and extremely smartly."

Managed to stay super arrogant after their major f*up. Way to go! bust...

~~~
brandon272
What I don't understand is why they don't just force password resets with
strong, unique passwords. Add language strongly encouraging 2FA. Seems like a
less damaging option than telling everyone that their personal security
practices are dumb and hackable.

------
AdmiralAsshat
_T: You 're referring to the TeamViewer client that's usually installed on the
desktop computer. The cases that we're talking about currently are not cases
connected to that desktop client; we're talking about TeamViewer accounts.
TeamViewer offers particularly to its business clients the option of setting
up TeamViewer accounts which come with a lot of advantages for professional
users because it allows them to manage multiple devices, have their entire
support force be in that account and set up policies that especially
professional users are looking for. That's a feature that we're also offering
to our private users who can use the accounts for free. Most of the cases to
the best of my knowledge are in regards to those accounts. Whenever somebody
sets up an account there are several ways they can set up their user
credentials and assign devices to that account. If somebody goes ahead and
uses the same e-mail and password for that account as they used for any other
given Internet account then that makes this account somewhat vulnerable in
terms of the credentials._

Someone want to clarify on this? If I'm understanding, that means the only
people reporting compromise were those that had a business account?

~~~
brandon272
There are basically two options for connecting to a computer using TeamViewer:
1) Using their auto-generated ID and password (i.e. give your partner ID and
password to your nephew and he can log in to your computer using his
TeamViewer client), and 2) Sign up for a TeamViewer account and add systems to
your account that you can basically just click on and access.

TeamViewer describes it as a "business" account but anyone can sign up for an
account and use the system in that way.

------
Fej
Is it possible that they don't even know what's happened yet?

They're not stupid. Covering it up only makes it worse. I think they're just
stalling until they figure it out.

~~~
rando444
It seems to be a simple case of users re-using passwords for all their
services, which explains how someone can log into their teamviewer account,
connect to their computer and then proceed to make purchases on amazon, etc.

This is most likely related to the LinkedIN hack from 2012, but someone is now
selling that data of 117 million people with decrypted passwords.

~~~
geoelectric
The purchases seem to be made using things like browser-stored passwords/login
cookies, or if nothing else the password reset and access to an email client
with stored login info.

I don't think shared passwords are being reused once inside the session,
mostly because why would you need to hijack someone's box to do so? Just log
into Amazon from wherever.

They might be used to get into the remote session in some cases, but a lot of
people who otherwise seem educated on the issue seem pretty convinced that
can't be what happened to them.

~~~
ryanlol
>Just log into Amazon from wherever

Good luck with that! Their anti-fraud systems will fuck you 99% of the time.

------
vamur
TeamViewer has been a vector for hacks for a few years now. Nothing was done
about it and people still use it and likely will use it even after this bigger
hack and company's ridiculous attitude.

------
TheGuyWhoCodes
I just want to add that if they really cared they would just demand 2FA
(assuming it's not broken), or atleast reset the passwords like linkedin did.

------
emdd
This disaster git me out of TV and into ZeroTier and NoMachine instead.

