Over the past three days, both Reddit and Twitter have exploded with such reports, often with the unsupported claim that the intrusions are the result of a hack on TeamViewer's network. Late on Friday afternoon, an IBM security researcher became the latest to report a TeamViewer account takeover.
"In the middle of my gaming session, I lose control of my mouse and the TeamViewer window pops up in the bottom right corner of my screen," wrote Nick Bradley, a practice leader inside IBM's Threat Research Group. "As soon as I realize what is happening, I kill the application. Then it dawns on me: I have other machines running TeamViewer!"
I run downstairs where another computer is still up and running. Lo and behold, the TeamViewer window shows up. Before I am able to kill it, the attacker opens a browser window and attempts to go to a new web page. As soon as I reach the machine, I revoke control and close the app. I immediately go to the TeamViewer website and change my password while also enabling two-factor authentication.
Lucky for me, those were the only two machines that were still powered on with TeamViewer installed. Also lucky for me is the fact that I was there when it occurred. Had I not been there to thwart the attack, who knows what would have been accomplished. Instead of discussing how I almost got hacked, I’d be talking about the serious implications of my personal data leak.
Bradley's account came a few hours after Germany-based TeamViewer reaffirmed what it has steadfastly maintained for the past two weeks—that the account takeovers are the result of end users' careless passwords practices. In a statement, company officials alluded to the recent cluster of "megabreaches" that have dumped more than 642 million passwords into the public domain over the past month. The officials wrote:
As you have probably heard, there have been unprecedented large scale data thefts on popular social media platforms and other web service providers. Unfortunately, credentials stolen in these external breaches have been used to access TeamViewer accounts, as well as other services.
We are appalled by the behaviour of cyber criminals and are disgusted by their actions towards TeamViewer users. They have taken advantage of common use of the same account information across multiple services to cause damage.
The statement went on to announce two measures being introduced in response to the large number of reported TeamViewer hijackings. The first, dubbed "Trusted Devices," ensures that before a device can access an existing TeamViewer account for the first time, the account holder must explicitly confirm that the new device is trusted. TeamViewer is implementing the measure using an in-app notification that asks account holders to approve the device by clicking a link sent through e-mail.
TeamViewer spokesman Axel Schmidt told Ars that TeamViewer officials initially planned to introduce these security features later this year. The growing number of public posts reporting TeamViewer account takeovers prompted the early roll out, he said.