GoToMyPC accounts hacked, all customer passwords reset

Remote access tool gets remotely accessed… by hackers.

GoToMyPC

Experiencing a problem logging into GoToMyPC? There's a reason for that. Your password has been reset by Citrix, the company which runs GoToMyPC.com, after hackers reportedly attacked the service.

Here is part of GoToMyPC's security advisory:

IMPORTANT SECURITY MESSAGE FROM THE GoToMYPC TEAM

Dear Valued Customer,

Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack. To protect you, the security team recommended that we reset all customer passwords immediately.

Effective immediately, you will be required to reset your GoToMYPC password before you can login again.
To reset your password please use your regular GoToMYPC login link.

Recommendations for a strong password:

  • Don’t use a word from the dictionary
  • Select strong passwords that can't easily be guessed with 8 or more characters
  • Make it Complex – Randomly add capital letters, punctuation or symbols
  • Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”.

It's a shame in their recommendations GoToMyPC's security team left out the most important one of all - don't reuse your passwords in multiple places.

After all, it's sensible that your GoToMyPC password has been changed - but you also need to ensure that you change your passwords on any site *other* than GoToMyPC if you were making the mistake of not using unique passwords.

It's also a pity that the details are a little sketchy.

Has GoToMyPC suffered a data breach, with passwords nabbed from its servers by online criminals, or is it that attackers are using credentials stolen from other sites to gain access to GoToMyPC accounts?

Right now, GoToMyPC isn't saying. Maybe it simply doesn't know.

GoToMyPC is sensibly recommending customers enable two-step verification, which will mean any potential hackers will need more than your password alone to access your account.

The news of the GoToMyPC security breach comes soon after users of TeamViewer, another service for remote desktop access, claimed that their accounts had also been attacked - although the company has denied that it has suffered a security incident.

Hat-tip: Thanks to @PeterVogel for first bringing GoToMyPC's security advisory to my attention.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

9 Responses

  1. Peter Vogel

    June 19, 2016 at 8:10 am #

    As first posted here:

    https://plus.google.com/u/0/105201176373156907412/posts/FPb7ojTHU4p

  2. Bob

    June 19, 2016 at 6:17 pm #

    Unfortunately organisations store the 2SV secrets in the same database (or close to) their password databases.

    Enabling 2SV will stop your (casual) unauthorised user but not somebody who has managed to breach a company's internal systems. It is for this reason I recommend activating 2SV.

    I like to remind people that a password is merely a method of authentication. If a company has suffered a breach then it's highly improbable that 2SV will offer any level of protection.

  3. Anders Dalen

    June 20, 2016 at 10:22 am #

    Usually "a very sophisticated password attack" is code for "We have really lousy security and some script kiddie hacked our site".

    • Joey L in reply to Anders Dalen.

      June 20, 2016 at 10:41 am #

      I thought it was code for brute force or password re-use.

      • Anders Dalen in reply to Joey L.

        June 20, 2016 at 11:02 am #

        Note that they are resetting ALL the passwords. This indicates that they have either been hacked or they just woke up with a really bad hangover and no clue to what has happened.

  4. graphicequaliser

    June 20, 2016 at 10:53 am #

    GoToMyPC's password database must have been designed from the ground up to be high-security, because of the nature of the control which it gives a logged-in user. If that can be made to spill its beans using a "sophisticated" attack, it is only a matter of time before the password manager databases also succumb to this "sophisticated" attack. It is time to introduce personal internet "tokens" which travel around with you – perhaps an implant in your right-hand with a bar-code on a microchip. The only way to hack your account is to extract the chip from your hand first!

  5. Jason White

    June 20, 2016 at 2:54 pm #

    "Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”

    Whoever wrote this is woefully behind the times. Making passwords complex for humans and these simplistic substitutions do nothing to strengthen passwords. It's all about entropy, people.

  6. Steve

    June 21, 2016 at 8:32 am #

    I use LiteManager it is store all passwords on my local PC, without the threat of loss/reset them

  7. Glenn Dobson

    June 28, 2016 at 10:59 pm #

    In case you did not see the follow up communication.

    Citrix takes the safety and security of its customers very seriously, and is aware of the password attack on GoToMyPC. Once Citrix determined the nature of the attack, it took immediate action to protect customers. Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users.

    At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. Further, there is no indication of compromise to any other Citrix product line.

    Frequently Asked Questions:

    Q: What happened?
    A: GoToMYPC (G2P) came under a password attack. Once we determined the nature of the attack, we took immediate action to protect our customers. Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users.

    Q: Was GoToMyPC the only product impacted by the attack?
    A: Yes, GoToMyPC was the only product line effected. There is no indication any other product was impacted.

    Q: What did Citrix do?
    A: In order to protect our customers, we have set a mandatory password reset for all GoToMyPC users. We encourage our members to enable two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.

    Q: What should I do if I am a GoToMyPC customer?
    A: To protect you, the GoToMYPC security team reset all customer passwords.

    Next Steps: .
    You will be required to reset your GoToMYPC password before you can login again.
    To reset your password please use your regular GoToMYPC login link.
    Recommendations for a strong password
    • Don’t use a word from the dictionary
    • Select strong passwords that can't easily be guessed with 8 or more characters
    • Make it Complex – Randomly add capital letters, punctuation or symbols
    • Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”)
    • Don't use the same password in more than one place
    2-step Verification option
    We recommend everyone use the 2-step Verification option for GoToMyPC accounts. http://support.citrixonline.com/en_US/gotomypc/help_files/GTC070021?title=2-Step+Verification

    Q: Was any personal information compromised?
    A: Our initial assessment indicates that no sensitive customer data (such as credit card information) was exposed. We are continuing an in-depth forensic investigation and will share the results of this investigation as soon as feasible.

    Q: Where can we go find more information about the event?
    A: http://status.gotomypc.com

Leave a Reply