"We want to sincerely apologize to all users who took offense at our choice of words, particularly the "careless use" thing we published in several of our statements. We never meant to offend anyone."
"It's really important to understand that TeamViewer is a tool that needs to be used sensibly and extremely smartly."
Managed to stay super arrogant after their major f*up. Way to go! bust...
What I don't understand is why they don't just force password resets with strong, unique passwords. Add language strongly encouraging 2FA. Seems like a less damaging option than telling everyone that their personal security practices are dumb and hackable.
T: You're referring to the TeamViewer client that's usually installed on the desktop computer. The cases that we're talking about currently are not cases connected to that desktop client; we're talking about TeamViewer accounts. TeamViewer offers particularly to its business clients the option of setting up TeamViewer accounts which come with a lot of advantages for professional users because it allows them to manage multiple devices, have their entire support force be in that account and set up policies that especially professional users are looking for. That's a feature that we're also offering to our private users who can use the accounts for free. Most of the cases to the best of my knowledge are in regards to those accounts. Whenever somebody sets up an account there are several ways they can set up their user credentials and assign devices to that account. If somebody goes ahead and uses the same e-mail and password for that account as they used for any other given Internet account then that makes this account somewhat vulnerable in terms of the credentials.
Someone want to clarify on this? If I'm understanding, that means the only people reporting compromise were those that had a business account?
There are basically two options for connecting to a computer using TeamViewer: 1) Using their auto-generated ID and password (i.e. give your partner ID and password to your nephew and he can log in to your computer using his TeamViewer client), and 2) Sign up for a TeamViewer account and add systems to your account that you can basically just click on and access.
TeamViewer describes it as a "business" account but anyone can sign up for an account and use the system in that way.
It seems to be a simple case of users re-using passwords for all their services, which explains how someone can log into their teamviewer account, connect to their computer and then proceed to make purchases on amazon, etc.
This is most likely related to the LinkedIN hack from 2012, but someone is now selling that data of 117 million people with decrypted passwords.
Except, like in every thread in the past week, people are reporting unique random entropy passwords being compromised. If one thing is clear it is that this is a lot more complex than reusing Linkedin passwords.
It's also pretty easy to look at their downtime last week as a huge red flag.
The purchases seem to be made using things like browser-stored passwords/login cookies, or if nothing else the password reset and access to an email client with stored login info.
I don't think shared passwords are being reused once inside the session, mostly because why would you need to hijack someone's box to do so? Just log into Amazon from wherever.
They might be used to get into the remote session in some cases, but a lot of people who otherwise seem educated on the issue seem pretty convinced that can't be what happened to them.
TeamViewer has been a vector for hacks for a few years now. Nothing was done about it and people still use it and likely will use it even after this bigger hack and company's ridiculous attitude.
"It's really important to understand that TeamViewer is a tool that needs to be used sensibly and extremely smartly."
Managed to stay super arrogant after their major f*up. Way to go! bust...