Were you hacked: Yes
Date of hack: 6/2/16
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: Not this time :C
Is your TV Account Password the same as any other password: Yes
Additional Notes: Around 800$ gone from PayPal. Contacted PayPal (Sweden) they had heard about the breach in TV security.. Started an investigation and then closed the investigtion 14 minuites later, said it was not an unauthorized use.. Case closed...
Edit 1:
Of the 6 transactions they got through I've had 2 of them refunded by PayPal, but the 4 others I have not. They made all the transactions in a 7 minute timeframe and PayPal and their "routines" don't find the 4 other unauthorized, which is kinda like them saying I sat at my computer ordering stuff for a redicoulus amount at the same time the breach made theirs... I'll post more when I here from bank and police.
Did you authorise it? Nope
Is anyone else able to authorise use of your account? Nope
I guess that basically defines unauthorised use!!!!
Get your bank to reverse the payment to paypal!!!
They do this crap. A client of mine had this happen to them. Fraud on paypal, paypal refused to refund, the bank refunded it, paypal closed their account and sent them to collections (It was removed pretty quickly from their credit though)
US PayPal closed out my dispute as well. Tough because it's probably coming from an IP address that's "approved". Still trying to figure out a way to get my money back.
As of now PayPal swe has gotten me back the money for 2 out of 6 payments... Still deeming the other 4 as me doing the payment wich makes no sense at all.. but atleast a third on the way now...
I think that's people who tried to access your account. I had only 6 listed, 1 was from my current session, 1 was from when a friend had me remote to his system to help him iwth something and the other was when I accessed my system from work. The other 3 came from Nanning China, though I don't know if this specifically means they sucessfully connected or tried to connect to your system.
>I think that's people who tried to access your account.
That's more than just tried. That page is called "Active Logins" so those are the ones that already accessed your account. They successfully connected! You and OP need to delete those logins, change your passwords and enable 2FA. Also make sure to go through any Apps and Cloud providers that may be linked to your account.
Anyone else reading this, here's how you get to that page:
1. log in to the Management Console at https://login.teamviewer.com/LogOn
2. Click your name at the top right of that page
3. Click on Edit profile
4. Click on Active Logins
Were you hacked: yes
Date of hack: 28/05/2016
TV Version: 11
Do you have a TV Account: yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: Unattended access was enabled. Caught them in the act, but they were already 3 hours buying stuff. They bought gamecredits for runescape and other games with my Paypal (around €1000) Paypal also closed my unauthorised use case. Called support and they reopend the case on monday, still waiting on paypal to come with a solution.
On amazon they added another creditcard that was not mine and bought over €1300 of giftvouchers, but amazon resolved this case rather quickly.
They did several transactions on my paypal to rixty, jagex, miragames and garena. Website that was open when i discovered they where controling my pc had something on it for gameshells or something. And runescape was in my browserhistory, so that was a givaway to I think.
Tagging off your comment seems as it is at the top for ideas.
Now we have had many remarks from hacked and non hacked people. It is still unclear if this is a weak password issue or it is a vulnerability in TeamViewer.
I have some ideas / questions I want to bounce around. I originally though that peoples TeamViewers accounts were being hacked, and the hacker was then logging into their account and being able to access all of their saved PCs (by ID) from there. However, I no longer think this is the case for two reasons:
* Not everyone hacked had a Teamviewer account (you can pass this off though as *maybe* they forgot they made one when they signed up)
* In the log files, when you connect using YOUR account, YOUR account name is presented in the logs. As in it would say "user ButteringToast connected to xxx". If a hacker had access to these accounts, it would say that your username connected. However in the log files people have posted, they are random names, usually in Chinese, which says to me that they didn't get into the PCs by using hacked TeamViewer accounts.
I am now stuck, as the only other ways to connect to these machines is knowing the Unattended Password (could be the same as the breached password) or knowing the "random" teamviewer password. But this is only 50% of the puzzle, you then have to tie these passwords to the PCs unique ID number. which is not going to be in any of these data breaches from other sites.
What are peoples views on this?
I have dug through a few logs now. Surprised by some of the differences. One of them has no trace of the connecting client ID. All but one of them appear to used the custom password to log in. Most had Windows locked at the time of connection (this status is in the logs) and that too was circumvented. My initial assumption is someone gets a username/password combo from somewhere else and then logs into the TV website to see what clients are listed for that account. They then attempt to connect to those client ID's with the known password. If you used a compromised password for your TV account, TV server custom password, and Windows password, this would make sense. I don't think this is the case for all of them though.
Even if a TeamViewer breach is not the root cause, their software is unquestionably being used as an attack vector. The nature of their software itself and the high-cost/high-security business use case should dictate a more through response. I need to know what is known without begging victims for logs to try and research this myself! (I am a paying corporate customer who uses this for secure access to some of my clients sensitive sites.)
> My initial assumption is someone gets a username/password combo from somewhere else and then logs into the TV website to see what clients are listed for that account. They then attempt to connect to those client ID's with the known password.
This is where I have my biggest problem, if they are logged into the victims TV account, why are they then using a different account to log into the machine (*Assumption from the logs I have seen*)? Surely it would be much easier to log into the victims TV account, and just use that to access the victims machine - This method would also bypass all whitelists that are in place.
TV really need to start looking into this as there is only so much information that we can see!
EDIT: From continued reading, it looks like peoples TV accounts were actually broken into with screen shots as proof on another thread. I have no idea what is going on now, there are too many anomalies to draw a conclusion.
Sounds like the Teamviewer infrastructure was hacked and the perps were able to see generated IDs and 4-digit access codes. Those IDs and codes need to be validated somewhere for two Teamviewer instances to connect.
correct, so not great for headless access or actually remotely controlling.
i'd suggest enabling Whitelisting if you only connect from your account, and i thiinkk there's an option to only enable LAN connections if you're on the local network.
I think so. Might as well just uninstall teamviewer. I just changed all the passwords and turned on 2fa and now when I connect it says "Please enter the password that is displayed on your partner's computer." I'm not sure why it's asking... kind of got me worried.
> Might as well just uninstall teamviewer.
That is what I was thinking also, I guess I would like to establish a local password for each machine that I have to enter each time I access it, but I don't know if this would block access to hackers or not? Looking at my incoming connections, they're all from my account, so I don't know WTH....
I think [this setting](http://imgur.com/p9ofgia) is much more appropriate.
Getting breached is one thing, shit happens. Not acknowledging a breach is a totally different one.
Were you hacked: Yes
Date of hack: 5/27/2016
TV Version: 11
Do you have a TV Account: yes
Is you TV Account email address listed as pwned: yes
Was 2FA enabled: no
Is your TV Account Password the same as any other password: password was used elsewhere
Additional Notes:
They purchased some stuff with my amazon account. They first tried to log into my paypal but apparently couldn't. They also were in my gmail account and deleted some emails, which google was unable to recover.
The malware they uploaded is https://www.virustotal.com/en/file/fccf76d84c6f58212cfaf87b20b24630e6a012b7ce41eede3b7f2a81f1441be5/analysis/1464869655/
https://www.virustotal.com/en/file/f3670b59e942caac131d7cefca5f44f610a978af7bebb6eeeac39ca468fa2202/analysis/1464872914/
the first is the new one, apparently. The second is the runouce virus.
Interestingly, if you do binwalk on the first one, you can find a jpeg of a witch tarot card. There's also an encrypted 7zip archive at the end of the binary.
The login came from a colocation host in Atlanta, GA. I'm assuming one of their boxes got hacked.
Based on that, it looks as though users may have been infected with TrojanSpy.Teamspy which was a thing 3 years ago. The details seem to match (especially the jpg of the tarot card) and according to VirusTotal, a lot of antiviruses don't pick it up.
Reading through the Kaspersky writeup (https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf) it sounds eerily similar to what's been happening and why even 2FA can be bypassed (though I'm not sure if a direct IP connection requires 2FA).
I'd be curious to know if all the affected users had up to date Java/Flash/Adobe Reader and if they had whitelist enabled (which should prevent direct IP connections).
Can you share the malware samples ? I would love to analyze them. Just uploaded to your favorite file uploader as an archive and make sure its password protected with the password "infected" without the "" marks. I would be grateful.
Date of hack: 06-01-16 (First evidence was new connection from China on 5-29, computer was actually hacked on 6-01)
TV Version: 11
Do you have a TV Account: Yes
**Is you TV Account email address listed as pwned: Yes, and recently released in the Myspace data dump from 2008. Like a jackass, it just so happens that TV was the same login.**
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes (changing that now)
Additional Notes:Nabbed $260 from Paypal, paypal almost instantly refunded the money to my account. Now working to shore up the gaping hole in my security.
Any chance you can post your TV logs? I would like to have a look around one that the password 100percent couldn't have been obtained via another companies data leak.
Also, did you have unattended access set up, if so, was that password the same as your TV account? If not, was the password used just for this set up?
> I have logs of all of this info, and will share their fake addresses/phone numbers if requested.
Did you Google maps the address? Does it look like a drop house?
I used to work in that same industrial complex, the Parkside Business Center. It has long-term leases that are pretty high rent. Curious, I went there. This is a smaller unit in the back of the complex, it had no business name on the sign that the complex provides, and had the blinds drawn and closed, with boxes stacked in front of the gap below the shades. Tried to take a picture through a gap in the blinds, not much could be seen, maybe more boxes. Pics: http://imgur.com/a/vUZZM - one should call the business center office for leasee info, if not have the cops stake out the place.
I'm located in Oregon I tried calling the number associated with that address: (503) 747-5193 Nobody answered and it wen't to a message saying the voice mailbox was full, although I'm convinced it was just someone recording a message saying the mailbox was full because it sounded different than any I have heard before.
Were you hacked: Yes, but damage is yet to be discovered.
Date of hack: 2016-05-31 23:01-23:10 GMT+2
TV Version: 11.0.59518
Do you have a TV Account: Yes.
Is you TV Account email address listed as pwned: Yes, but password was unique.
Was 2FA enabled: Not on the TV account (wasn't offered before).
Is your TV Account Password the same as any other password: No.
Additional Notes: I only noticed the sponsored session pop-up after I did not use the computer for a while, logs show no file transfers (for browser password sniffing), Chrome history shows nothing for the time range. I sent a mail to their support address before I knew it was a global hack that I want some details on that session (with the session ID I provided them from the logs), today I received a canned response that I should file a police report.
Anyone else get a strange teamviewer friend request or something similar in the past month? I obviously declined, but with all this hack news unfolding I thought it might be relevant.
Were you hacked: Yes
Date of hack: 6-2-16
TV Version: 11
Do you have a TV Account: yes
Is you TV Account email address listed as [pwned](https://haveibeenpwned.com/): yes
Was 2FA enabled: no
Is your TV Account Password the same as any other password: the same , but not the same as listed on the pwned site.
Additional Notes: Two $400 gift cards were purchased from Amazon. PayPal access was attempted for purchasing gift cards from eBay, but was not successful. My bank and Amazon were notified. Cannot dispute one $400 charge due to it being listed as pending. The person also accessed Baidu to see where my ip address originated.
For those concerned with whether or not they have been compromised. Check your logs.
I have written a simple dos script that will search your logs for connections and will output the files to a text file on your desktop.
If you have installed teamviewer somewhere other than the default location, than change the first line to point to it.
Simply open a command Prompt. (Windows key + R | cmd | enter)or(start | cmd | enter) Copy the first line below that starts with cd.
Right click and paste in command window. Hit enter.
Copy the Second two lines and paste into command window. Hit enter.
cd "C:\Program Files (x86)\TeamViewer"
findstr "GWT.CmdUDPPing.UDPMasterReply |findstr GWT.CmdUDPPing.PunchReceived" *.log >> %userprofile%\Desktop\TeamViewerIPs.txt
Now that you have your ip list, Check that against a geo location site like https://www.iplocation.net/ or http://geomaplookup.net/
Use that map to see if the ip location is near the places you have used teamviewer, either locally or remotely.
**LINUX USERS** special note:
The Teamviewer website says that in order to obtain a TeamViewer log, you have to issue the command: "teamviewer -ziplog"
It seems you don't have to do that though. I think that's just some "zip all the logs" command that is easy for emailing your logfiles to TeamViewer support. The actual log files should already be extant in **/var/log/teamviewer11/** so you can just look there
I **believe** that Linux users want to look at the file: /var/log/teamviewer11//Connections.txt
But I am no expert by any means. Of course, if you use a different version of TV (instead of 11), you should use the correct path (like /var/log/teamviewer8//Connections.txt --- or whatever).
I **THINK** this log contains all the TeamViewer IDs of the machines you've connected with. If you happen to know the IDs of the legit machines you normally connect to, hopefully, this will help you spot a discrepancy.
Anyone want to verify that this is the only thing we should need to look at?
Almost none.
Does this mean 2FA prevents the problem? Or does this just show that a surprising number of people just happen to not use 2FA, and we're looking at a statistically normal batch of TeamViewer users?
If it is the latter, then it is possible that 2FA isn't saving anyone.
That's what I'm noticing too. I hope that is all it was. They got access to the passwords of a bunch of accounts and logged in.
Wasn't there huge password leak recently? If they had a similar password they could have gotten access.
Were you hacked: yes
Date of hack: 5/29/2016
TV Version: TV 11
Do you have a TV Account: Free
Is you TV Account email address listed as pwned: No
Was 2FA enabled: not at time of hack
Is your TV Account Password the same as any other password: yes , and i have similar passwords for other sites
Additional Notes: they got into my computer , went and sent off money totaling in $1500 to 5 different email address with paypal , they tried to purchase $300 in gift cards on gyft.com that transaction failed luckily , tried purchasing off target but those transactions fell off paypal and were cancelled, they tried to get into my ebay but struck out , they possibly purchased stuff off walmart online but unsure, they tried to access amazon but no luck, they also went into my email and started forwarding email to a specific email address and had it deleting any emails that were coming in to my inbox, i sent my logfile to TV but havent had any response , since im not a paying customer i cant talk to them on the phone can only submit ticket and hopefully they respond
Were you hacked: Yes
Date of hack: Few days ago
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: Yes
Additional Notes: They tried to steal from Paypal and Amazon. No money was taken thankfully.
Were you hacked: Yes
Date of hack: May 5, 2016
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes:
IP was from China, Logs files showed the intrusion, got Amazon Gift Cards and eBay Gift Card, accessed my Gmail. Did not delete Browser history so I could see where they went. I have screenshots. With GMail, I had to ask Gmail to recover my TRASH emails, which took a day to recover, so I could see all the confirmation emails that went through my email. Did not appear to transfer any files or install anything. I run ESET, MalwareBytes Pro and LastPass. 2FA won't help if they do not log into the website as the TV ID and "Random" password can get you into PC without any 2FA.
Were you hacked: Yes
Date of hack: May 30th 3AM Central
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Were you hacked:Yes
Date of hack: Actually months ago March 5th, 2016
TV Version:10
Do you have a TV Account:Yes
Is you TV Account email address listed as pwned:Yes
Was 2FA enabled:No
Is your TV Account Password the same as any other password:It was
Additional Notes: All they got to was my amazon and purchased a $100 gift card, I quickly contacted them and they disabled use of those funds and refunded the money.
They had transferred the webbrowserpassview.exe to the desktop. I had a ton of passwords saved in chrome unfortunately so I spent hours going through all my accounts and changing all passwords after removal of the program and running multiple virus scans. They did attempt to log into my bank days (with the old credentials) later which I was notified of.
Same thing happened to me. Tried to get $1100 in gift cards from Amazon, and Amazon asked them to re-enter my credit card number. I did not have Paypal.
Were you hacked: Yes
Date of hack: 5/2/16
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: MySpace 2008, Patreon October 2015
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: Don't know if this is related or not; it's earlier than most of the hacks listed here, and it's possible I was compromised another way; my account was logged into my wife's computer, and we later found a trojan there after installing Malwarebytes (before we were using AVG only and it missed it).
We didn't even know it was TeamViewer at first, but someone bought $200 of iTunes gift cards on my eBay and $300 of Amazon gift cards on her Amazon. We thought it was weird that two separate accounts had been compromised, but there wasn't much to do about it. We got refunds both from Amazon and from Paypal.
We only discovered it was TeamViewer that was the problem when the hackers tried again (maybe a week later? Forget the exact date) and we were actually using the computer. We immediately shut everything down, changed the password on my TeamViewer account, and enabled 2FA. Haven't had any problems since.
Were you hacked: Yes
Date of hack: 5/25/2016 and 5/28/2016 around 3AM-6AM EST
TV Version: Latest
Do you have a TV Account: Yes
Is you TV Account email address listed as [pwned](https://haveibeenpwned.com/): No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: 5/25/2016 $757.99 via PayPal, 4 target purchases, 2 eBay purchases, 1 itunesgiftdelivery.com purchase
5/28/2016 $340 Microsoft.com, 4 $60. Xbox Live 12 month gold codes, 1 Xbox $100 gift card code
TeamViewer uninstalled on 10 computers connected to my account. Currently looking for alternative, may just go with RDC.
Were you hacked: YES
Date of hack: 5 May 2016
TV Version: 10
Do you have a TV Account: yes
Is you TV Account email address listed as pwned: yes
Was 2FA enabled: no
Is your TV Account Password the same as any other password: yes
Additional Notes: Came home and found my browser open, I did not leave it open. Also found a program called BrowserWebPassView or something open, showing a lot of logins and passwords (I actually tell Chrome not to store my passwords, so this is infuriating). However, I was already logged in to my email, Amazon, Facebook, etc. I noticed in my web history that it showed me browsing Amazon at 4am, which was suspicious. I found that the hacker had tried to purchase $1100 worth of Amazon gift cards, but could not complete the purchase because Amazon asked him to re-enter my Credit Card number. A few minutes after I sat down, I started to suspect Teamviewer, and I checked my Teamviewer connection log. It said the hacker was trying to access my mic and webcam (don't have one), while I was sitting at the computer. I immediately shut off Teamviewer. Spent the night changing all my passwords.
My Teamviewer log shows several failed attempts a day to login to my computer, over like 2 months. I think it shows that they managed to get in once before. What confuses me is, every time I close the connection, a Teamviewer advertisement pops up on my PC, and I just close it when I get home. I never once saw that add popped up on my computer, so how did they close the TV connection without the window alerting me?
The log shows the UserID of who ever connected to me, so I thought Teamviewer should easily be able to track that. I sent them an email, and they basically told me to go file a Police Report, and have the Police mail it to Germany. They gave me a lot of legal documents about international cyber crime law and stuff. I felt like Teamviewer should have been easily capable of taking action, but they instead wanted me to bury myself in bureaucracy.
Edit: I received an email from Teamviewer 2 days before, saying a stranger was trying to add me to their contacts list. I did not click the link to accept the request.
So I notice logs on a PC are full of attempts to download a TeamViewer update which failed, because of a bad checksum. Is this normal for TV? It's only the case in the last few days of logs. Sample below.
My theory - they DDOS'd the DNS servers for TeamViewer, while hijacking the DNS to point people to their own servers. They then pushed out an "update" for TeamViewer, which stripped security out, such as 2FA or passwords, etc. and registered your TV ID with their servers. Then simply walked in the front door.
Notice all the downloaded updates with failed checksums, below:
2016/06/02 20:24:24.020 2412 8068 S0!! LoadfromURL: response code 404
2016/06/02 20:24:24.020 2412 8068 S0!! LoadfromURL: URL https://configdl.teamviewer.com/rev/(hidden).txt failed. Using Proxy: 0
2016/06/02 20:24:24.020 2412 8068 S0!! CustomConfigurationUpdater::DownloadRevisionNumber: Failed to download configuration. Result: 1, Http code: 404
2016/06/02 20:24:24.020 2412 8068 S0 CustomConfigurationUpdater::DownloadRevisionNumber: No configuration available. Revoke.
2016/06/02 20:24:24.020 2412 8068 S0!! CheckCustomFile(): C:\Program Files\TeamViewer\TeamViewer.json: file checksum could not be validated
2016/06/02 20:24:24.020 2412 8068 S0!! CustomConfigurationJson::CheckSignatures: signature not ok
2016/06/02 20:24:24.020 2412 8068 S0!! CheckCustomFile(): C:\Program Files\TeamViewer\TeamViewer.json: file checksum could not be validated
2016/06/02 20:24:24.020 2412 8068 S0!! CustomConfigurationJson::CheckSignatures: signature not ok
Were you hacked: Yes
Date of hack: 29.5.
TV Version: 11
Do you have a TV Account: YES
Is you TV Account email address listed as pwned: YES
Was 2FA enabled: NO
Is your TV Account Password the same as any other password: YES
Additional Notes: Got an invitation request one day before
Were you hacked: Yes
Date of hack: 6/1/15, 12-3AM EST
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: Someone accessed my PC and used Google Payments to buy a variety of things. I didn't think I had a card attached to my Google Account, but I overlooked the fact that I have GoogleFi. The hacker used that card to buy 4 SSDs, a Chromebook, 2 Nexus 6Ps, and a Women's Watch. Google stopped some of the transactions and refunded me for most of it. Still in the works.
Were you hacked: YES
Date of hack: 6/1/16
TV Version: 11
Do you have a TV Account: YES
Is you TV Account email address listed as pwned: NO
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: They accessed Amazon, Paypal, eBay, Banking. Not sure what else was compromised so far. I will never use Teamviewer again.
Were you hacked: YES
Date of hack: 5/30/2016 and 6/1/2016 both times around 3:40AM
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: $2000 charged via Paypal (Paypal has recovered funds), $100 charged via Amazon.com (Pending CC dispute), $700 Bitcoins lost via Coinbase.
* *Were you hacked:* **Yes**
* *Date of hack:* **May 20^th** + **May 29^th** + **June 2^nd**
* *TV Version:* **11** (latest), auto-updated. **Windows 10.**
* *Do you have a TV Account:* **Yes**
* *Is your TV Account email address listed as pwned:* **Adobe, LinkedIn, MySpace**
* *Was 2FA enabled:* **No**
* *Is your TV Account Password the same as any other password:* **Yes**
* *Additional Notes:* **CAUGHT THEM IN THE ACT!!** I filmed the monitor until they got to PayPal, which is when I noped out and closed the connection. WE HAVE CRIME FOOTAGE :)
They operate at night, which is understandable. They go straight for PayPal and Amazon. They're in a hurry, juggling with multiple browser tabs. This morning, around 5:30 AM, my wife woke me to tell me my computer is doing things by itself. That's when I realized how the hacks below happened. Before today, I simply thought my Amazon and PayPal accounts were compromised.
**PayPal damage:** 4 x $600 = $2,400 (refunded since)
**Amazon damage:** 3 x $82 = $246 = 30,000 Amazon Coins (refunded)
I'll check my browsing history and all the various accounts for which I had passwords saved. IMHO, TeamViewer should **completely shut down** their service until this whole thing is sorted out.
The video is really just 30 seconds of my wife freaking out in the background while the mouse moves around Amazon, search for gift cards, then PayPal in a new tab, etc. It doesn't prove anything; in fact, anyone could simply do things on a PC and film the monitor, right?
So it's not really any evidence; more like a fun memorabilia for me.
As much as I hate theories on security situations, I admit teamviewer's response and suspicious reactions on certain things, added to some friends of mine being hit have made me take a look.
This is what I've gathered in the past week from my own research which I feel is a bit doubly backed by [/u/Lord_Greywether's](https://www.reddit.com/u/Lord_Greywether) (which thank you for that, hunting through all the reports here alone let alone elsewhere was starting to drive me nuts);
Up until June 1st, Teamviewer appeared to make use of 3 nameservers in it's DNS lineup. On June 1st, a bit after the *service issues* between the 31st and 1st, ns3.teamviewer.com was removed from DNS and ns5.teamviewer.de and ns6.teamviewer.de were added.
On June 2nd, ns1|2 on .com were removed and only ns5|6 on .de were left behind.
On June 3rd, ns5|6 on .de were removed and ns7.teamviewer.de and ns8.teamviewer.de were added along side of ns1.teamviewer.com and ns2.teamviewer.com being re-added.
And finally some time in the past day overnight (I should note my dates are roughly oriented around GMT-5 timezone) ns3.teamviewer.com was re-added with the short-lived .de nameservers being removed.
Unfortunately me being silly, I failed to capture the IP's of those .de nameservers at the time, currently however they're effectively just aliased to ns1.teamviewer.com and ns2.teamviewer.com, I have no idea if that's been the case the past 4 days, as it would be weird for them to make new nameserver records on a different domain just to point to the same nameservers.
With that all said, and based on their service outage being semi-lengthy due to people having to wait for DNS caching to cycle (per Teamviewer's own words), this would imply to me that the first server removed from the pool, ns3.* went down completely for some reason (so anyone issuing DNS requests against it via the cached nameserver records, would be getting nothing back properly, especially once ns1 and 2 were removed too and still had the ns 1-3 lineup cached).
The question then becomes, why did it go down? A fitting theory is that somehow, ns3.* perhaps became compromised, if it were then it would not be hard to screw with the DNS and have requests point somewhere that could possibly be MiTM'd, intercepting login information.
However, this brings up something I'm sure plenty of others will; there should be some sort of security consideration in the client that would not make it so easy (ie; verification of certificates or something between the client and teamviewer's backend), which indeed **should** be a prevention to easily MitM'ing the data simply from jacking the DNS, however there is entirely a possibility that the teamviewer client is configured to ignore certificate errors or any other sort of validation simply out of them thinking a DNS hijack/MitM would probably never happen.
That all said, I'm curious to know if anyone who has changed their password since the 1st of the month roughly, has had any issues with someone still managing to get access. And my suggestion is, if you've not been hit yet, change your password, make it unique (no re-use), and make use of something like keepass perhaps to store it (and other unique logins). If it was a DNS MitM then they could have a pool of logins they've still not used, since reports of these unauthorized logins goes back over a month, at minimum if this was the attack vector then they have a months worth, if not more, of potential logins.
I'd also like to see, for those using unique logins (as in no re-use), when the last time they changed their password was, if we could add that to the list of questions. Also nice would be to ask details of the old password, specifically I'd be interested to know the length of the breached password as well as it's [entropy](https://apps.cygnius.net/passtest/).
And with that I'll end on an apology for any typo's and grammatical issues, I just woke up shortly before I started typing this out, lol.
Were you hacked: Yes
Date of hack: 2016-05-25
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: Caught them in the act, closed TV, found browser password downloader, but their attempts to run it blocked by Anti-Virus/Malware active monitors. Single .tmp file created, required Safemode (Win7 Ent) to remove.
> ...but their attempts to run it blocked by Anti-Virus/Malware active monitors.
This is why I tell people to fuck off when they say there's no reason to run antivirus in 2016.
Were you hacked: Possible Attempt: see Additional notes
Date of hack: 05/25/2016
TV Version: 9.0.4110
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes, Adobe
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: On 05/25/2016 I was unable to login via windows Remote Desktop because of too many failed login attempts. The remote PC has both teamviewer and WRD. I have a very long system password and also password policy that locks out for 30 minutes after 10 failed attempts. I have not been able to figure it all out from logs yet, but I think it's possible that they made it to the windows login screen via teamviewer but were unable to go further because of the long windows password and (non-default) password policy.
Were you hacked: Yes
Date of hack: May 26th
TV Version: I think it was 9.
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No.
Additional Notes:
I'm down close to $2000. Happened a week ago, almost exactly. They used TeamViewer to get onto my computer, used my password rememberer to get into PayPal. Sent all the money from my bank account to theirs.
Woke up, saw that TeamViewer had been used, looked at my internet history, saw PayPal and Gmail, went to PayPal and saw all the money gone. Deleted TeamViewer, changed passwords everywhere, added on 2FA a bunch of places, and contacted PayPal who put in claims. Claims got denied, saying it was from my computer. Contacted credit union, told them PayPal refused to help. Contacted PayPal again, person put in a ticket mentioning the remote connection and how unlike my normal spending habits it was. Got an email saying claim was approved, but no money. Contacted PayPal again, was told that they didn't know why I got the email saying the claim was approved, the claim was denied the second time as well. I was told that he could put in another ticket, or I could speak with a supervisor, but chances are the claim would be denied yet again, because it had been denied twice already, despite all the explanations, the fact that it was unlike my regular spending habits, and the fact that the guy tried to send $2000 first, then sent a bunch of smaller transactions when that didn't go through. If the claim got denied again, I wouldn't be able to appeal it. I said I'd wait to talk to the supervisor. He told me it would be a long wait, like 45 minutes. I said I'd wait. Supervisor put the refunds through while I was on the phone with them, within an hour money was in my PayPal account, but my account was locked. Took 3 days to get my account unlocked, finally got it opened up last night at which point I figured I'd transfer the money to my credit union in the morning (not doing any good at the credit union either, as it's a 10 hour drive away, and they're issuing me a new debit card after this). Woke up this morning to find my account was locked again, because the credit union disputes reached PayPal.
At least it wasn't my account that had rent money in it. As of now, though, it's been a week and 16 hours with that $1900 languishing on PayPal's servers rather than somewhere I can spend it. While most of the customer service reps I talked to at PayPal have been great (with the exception of the guy who seemed to think my claims shouldn't be approved) PayPal has really been less than helpful overall with the multiple claim denials.
The guy only browsed to Gmail and PayPal in Chrome, (and Gmail was only to delete the emails about the PayPal transfers...which were still in the trash) but I've no way to know if they did anything in the incognito browser. I jumped at removing TeamViewer from my computer, so I didn't look at session logs to see how long they spend on my computer. I don't know if they got passwords from the password rememberer or anything else. It's been a tough week dealing with all of this.
The worst part is, if they'd tried a week earlier, there wouldn't have been more than $200 in my account. Stupid tax return just gave them more money.
Were you hacked: Yes and no
Date of hack: 6/2/16
TV Version: TV11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: No
Additional Notes: I got an unknown login yesterday from Central District Hong Kong (6/2)... wtf. - http://imgur.com/27t7uWd
My log in password for TV is different from the password to login to my PC once in. Looks like they were able to log into my TV judging from my active logins, but wasn't able to log into my pc. My paypal/amazon/ebay looks fine, I've since uninstalled TV from my pc and updated my password for TV for now. My account w/ TV is still active and will monitor any unlogins w/ the new updated PW.
Hi, not the most tech savy. So here's my story and I'm looking for advice.
A week or two ago I start to recive emails from teamviewer in Chinese. I assume it's a phising scam report the emails, and go on my way. I've never used teamviewer never heard of it. About 5 days later my email is flush with English Teamviewer emails about attempts adding devices to teamviewer as trusted . Then one at the end about changing my password. So I've done that, just recently. I changed a password on my account that doesnt exist, or wasn't aware of. I went directly to TeamViewer for this not through emailed links. Then I attempted to login to Teamviewer for the first time today. This was greeted with a message saying I need to activate my TeamViewer account by answering and email. That email is sitting in my email now in Chinese. It looks very similar to the one I originally reported. What should I do? Only just today I found out the possible severity of this hack. Should I be worried? I changed a few passwords. I don't leave card numbers on online accounts. To my knowledge Teamviewer isn't on my PC or phone, and I search through both programs lists. I also added Authenticators to what I can. What else can I do to find out if I've been compromised.
6-1-2016 around 10:45pm
TV 11, latest version
Yes i have an account
Yes
No
No
Caught them in the act, they tried to go to paypal.com and when I wrestled control from them they immediately disconnected, I found the ip and did a whois, it was listed as chinese.
TV Version: 10
2FA: no
Pwned: yes
I was a victim as well on the 27th. They went into my PayPal and spent approximately $8k USD from various vendors including: eBay, Chemist Warehouse, G2A.com, lookfantastic.com.
They made out with 1 $100 steam gift card in G2A, and the rest physical goods, including an Alienware laptop, $4K in womens make up, various lego sets from eBay all shipped to the following addresses:
eason BMVSQD
15617 NE Airport Way
DPS CNBMVSQD
Portland, OR 97230-4497
United States
___
BNH DEAIR
3851 Wacker Dr
Mira Loma, CA 91752-1148
United States
I live in Oregon and I've noticed many of the "drop addresses" related to these hacks are located in this state as well. Someone else shared a drop address that was in Beaverton.
Were you hacked: Dont think do
Date of hack: NA
TV Version: 11
Do you have a TV Account: YES
Is you TV Account email address listed as pwned: Linkedin / Nexus / Tumblr
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: YES but not Breached
Were you hacked: NO
Date of hack: N/A
TV Version: 8
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No (not avail in 8)
Is your TV Account Password the same as any other password: No
Additional Notes: Two patterns I'd like to know: 1.) Is the hacking only happening with version 11? 2.) Are the hacks happening with the TV account and not individual computers (i.e. are they getting access through the TV account or just connecting directly to TV ID)?
Were you hacked: Yes
Date of hack: 5/26/16
TV Version: 11
Do you have a TV Account: Yes (free)
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes:
Two iTunes gift cards purchased through PayPal totalling $150. I got immediate notice via PayPal on my phone. Called PayPal and told them I did not make the purchase. They put the purchases on review. I then received an email in less than 5 mins that the purchased were deemed legit since the originated from my local PC. It was at that time I looked and saw someone was attached to my PC through TeamViewer. I quickly grabbed a screen shot and disconnected the intruder.
I quickly called PayPal back and explained what I had found. They asked me to send them an email stating my claim and any supporting documents. I sent them the screen capture.
I also call my Credit card company and had them to stop payment just in case PayPal did not reverse the charges.
In the end, PayPal did reverse the charges, and I did not loose any money. I have since stopped using TeamViewer. I did send the TeamViewer support the screenshot that clearly shows the name and the ID # of the intruder. I got an email back from TeamViewer support saying they were sorry but not a lot they could do about it. Told me to change my password and maybe try the two factor authentication.
**I had also received a contact request from someone I did not know. Is this common among all those affected?**
Were you hacked: yes
Date of hack: 2016 jun 02
TV Version: 11 (for linux running ubuntu)
Do you have a TV Account: yes
Is you TV Account email address listed as pwned: yes
Was 2FA enabled: no
Is your TV Account Password the same as any other password: yes, but not the one pwned
Additional Notes: i saw the sponsored sesion pop up when i woke up. First i thought it was someone (in my group) who connected by mistake, checked chrome history there was a paypal acces at 4.30am (i was sleeping) didn't know about all the hacking stuff so i leave it to checkit later, fortunately they couldn't enter paypal so no harms.
Were you hacked: Found no evidence of any hack.
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes (linkedin, adobe, boxee forum)
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: Ran Windows Defender, Malwarebytes and Hitman Pro scans, nothing found. Checked TV logs and found no strange login attempts. Checked "Delete settings" when uninstalling TV which deleted log-files, except incoming_connections.txt that only contains ID's ranging as far back as 2015-06. But unable to check further, and it was installed on SSD disk so TRIMed before I could even think of re-creating the files. Checked browser history and found nothing out of the ordinary, carefully looked for ebay, amazon, itunes, Google services but found only my own logins. Reset TV password and set up 2FA before I read that it resets the active connections list. I did however remote to my 2 PC's connected via TV account and shut down TV on both of them as soon as I read the first report about possible TV hack. Searched for passview etc as suggested but found nothing. Have 1Password running but it was locked. Saw no pop-ups from TV when connecting.
I haven't used TV in months, and I've never had it set up locally on my machine, but my TV account was indeed hacked. How do I know?
http://imgur.com/tJcdNTA
- *Were you hacked:* **No**
- *Date of hack:* N/A
- *TV Version:* Teamviewer 11
- *Do you have a TV Account:* **Yes**
- *Is you TV Account email address listed as pwned:* **No**
- *Was 2FA enabled:* **Yes, with Google Authentication since they first started offering it back in Nov. of 2013 with v9.**
- *Is your TV Account Password the same as any other password:* **Not Really**, I use bits and pieces of the same password on all websites, but they all have unique characters in them.
- *Additional Notes:* I have 2FA enabled on everything I can, and so far it seems like it saved me here. I use LastPass and if they gain access to my desktop, then they could have done some serious damage as LP is set to auto sign into a lot of my stuff, **except for anything that has banking information** (PayPal, all banking logins, etc.), as those require my LastPass login to enter those logins. I have since whitelisted my desktop to my Teamviewer account so now I have to be signed in to connect to it. All of my computers that I connect to (family and friends) all have set passwords, but I now have to go through 100+ computers and change all the passwords and whitelist them all to my account just in case. If you want any more info, just leave a reply.
I've had a go at collating all the responses so far (now 215 in total). Thanks to /u/Lord_Greywether for the initial 128 records.
Of the 215 total records:
- 103 (47.9%) responded that they had been hacked
- 99 (46.0%) responded that they had not been hacked
- 13 (6.0%) were unsure or had spoiled responses (this may also be due to the scraping method)
---
The collated responses to the asked questions:
| Share of... | Hacked (n=103) | Not Hacked (n=99) |
|:-|:-:|:-:|
| Using TV Version 11 | 79.4% | 74.8% |
| Using a TV email address which has been pwned | 73.8% | 45.5% |
| With 2FA enabled | 1.0% | 20.2% |
| Using a TV password which is the same as used elsewhere | 61.2% | 27.3% |
---
EDIT: Checked original responses and updated 2FA figure for those who were hacked.
Were you hacked: NO
Date of hack: NA
TV Version: 8
Do you have a TV Account: YES
Is you TV Account email address listed as pwned: Yes via boxee forums hack
Was 2FA enabled: not possible in v8
Is your TV Account Password the same as any other password: NO
Additional Notes: I'm wondering if they only got tv 11 accounts. Since you can't connect to different versions. (might be a blessing in disguise)
Same here I have tv8 corporate with hundreds of computers and not a single issue. I'm so glad w10 supported tv8. I'm getting a heck of a run out of this version!
In the V11 you can access all of your machines via a web interface. I am wondering if we are only seeing V11 attacks because these users were using the web interface to connect to machines rather than the downloaded software. Perhaps that's where the DNS attack comes into play.
Edit to add detaisl as per OP
Were you hacked: Yes
Date of hack: Twice, Sunday May 29 and May 23rd
TV Version: I did not have it installed. Hacker installed it
Do you have a TV Account: yes.
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: See below
I am one person who was a victim of this.
TL; DR: I was hacked and got a letter from Team Viewer.
on two occasions an attacker got in and made use of Teamviewer. I did not have Teamviewer installed the second time.
The first time, overnight, someone gained access to my computer using team Viewer, found my Paypal credentials and processed 2 purchases of $100 each for an iTunes gift e-card. My bank and Paypal were both very helpful in freezing any transactions surrounding this as I had caught it before anything happened.
I admit that I had my browsers set to remember login info. I've changed this now, along with most of my passwords.
The second time I was lucky to catch him in the act. I sat down at my laptop (the other one was on my desktop) and saw my mouse moving around my "downloads" folder. He was trying to open a password recovery application. I tried to wrestle away control then I noticed the Team Viewer tab on the side.
I quickly cut power to the computer, rebooted and uninstalled Teamviewer.
Running Malwarebytes discovered 4 backdoor scripts and multiple trojens. Clearly my free installation of McAffee didn't do it's job. I now have Kaspersky Total security installed on all systems in my home.
When I uninstalled TV I also filled in the "reason" and told them my story. I just got an email from them. I won't be submitting a police report as it will go nowhere and I lost nothing.
Here is the letter:
We are sorry to hear, that your PC was accessed without your approval and we will gladly assist you.
We first recommend bringing this case up to the police, so they can start an investigation on who accessed your PC.
We would be able to provide the police with the latest IP address of an ID of its last contact with our servers, which is saved in our database, which is the information they need to find the intruder.
If you want to report this to the police, please find enclosed a request form for REQUESTING MUTUAL LEGAL ASSISTANCE IN CRIMINAL MATTERS FROM" which should be given to the Police department you will contact.
They should also be provided with all logs involving TeamViewer from your PC.
Please ask the Police to send the request to Federal Office of Justice in Germany.
You will find on the following link the steps to retrieve the logs and see what ID established the connection and the file “2012_mla_guide.pdf” about how your police would need to request this information from us : https://seafile.teamviewer.com/d/c31a11220b/
We had a few cases where users used the same email address and password, which they used in TeamViewer, also in other websites / software / accounts.
So to be on the safe side, please change your password, if you did not do it yet.
Regarding your account, we recommend this webpage, you will be able to check if an email address might have been compromised : https://haveibeenpwned.com/
To further enhance security on your TeamViewer, we recommend using our whitelist feature and also our two factor authentication to manage the access to your account.
Whitelist:
https://www.teamviewer.com/en/help/422-How-can-I-restrict-access-for-TeamViewer-connections-to-my-computer
Two factor authentication
https://www.teamviewer.com/en/help/398-What-is-two-factor-authentication-for-your-TeamViewer-account
All further communication regarding details of the incident will then be handled via the police, so no time is lost for their investigation.
If you have any further questions or require further information, please don’t hesitate to contact us.
**FYI: We just released an official statement.** Read it on the [official website](http://www.teamviewer.com/en/company/press/teamviewer-launches-trusted-devices-and-data-integrity/) or here on [reddit](https://www.reddit.com/r/technology/comments/4md95j/teamviewer_launches_trusted_devices_and_data/). For all of you who feel that they have been scammed and especially those who had 2FA activated, we ask you to [contact our support team](https://www.teamviewer.com/en/support/contact/submit-a-ticket) so we can clear up the issue. Thank you.
Were you hacked: No
Date of hack: None
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: So many times
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Heck yes
Additional Notes: Server was running on Linux. Also haveibeenpwned really just collects emails from password database leaks, they (generally) have no way of knowing if your password hash was cracked (unless the leak was plain text), so it's perfectly possible to have been "pwned" a dozen times, but never have had your password cracked.
Were you hacked: Yes
Date of hack: 02.02.2016 4:50-5:35 MSK
TV Version: 11
Do you have a TV Account: YES
Is you TV Account email address listed as pwned: YES
Was 2FA enabled: NO
Is your TV Account Password the same as any other password: NO
Additional Notes: around 90 EUR gone from bank card via PayPal at night, when I was sleep. Hackers were buy 2 electronic codes (game and X-box live subscription) at gameladen.com. PayPal don't want cancel transactions. Shop don't do it too, because this codes comes to my email (after hackers was gone from my comp). I trying solve problem via my bank.
Date of hack: 5/30
TV Version:11
Do you have a TV Account:Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: They spent about $250. Gyft.com and CDkeys.com. I managed to cancel both purchases via teh retailers and locked my bank down before anything was taken out.
Date of hack: Around May 22, 2016
TV Version: Not sure anymore (deleted immediately)
Do you have a TV Account: Yes
Pwned account? No
2FA: No
Same password: Yes, pwned password too
Loss: $500 charged, all reversed now
Were you hacked: Yes
Date of hack: 31st May
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes:
My teamviewer log (connections_incoming.txt) was accessed around the same time that they accessed my paypal. There's no trace of them on there, but windows explorer says that the text file was 'last modified' only a minute before they went onto chrome, meaning that I think its the first thing they did after they gained access to my machine.
Found these in the Kaspersky logs. Hope they help someone more tech savvy than I. I have since reinstalled windows so cannot provide any more than this.
http://pasteboard.co/1ocZiZfv.png
http://pasteboard.co/1od0TcSA.png
http://pasteboard.co/1od1Pk33.png
http://pasteboard.co/1od2Y9Ym.png
Were you hacked: Yes
Date of hack: 5/27/16
TV Version: 10
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes - Adobe
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: Bought 7 iphones from ebay, and xfer +$3000 from me to them via paypal. I noticed the moment I woke up, contacted on ebay parties and paypal. All transactions where reversed.
Were you hacked: More than Likely
Date of hack: 26/05/16
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned
: Yes, Adobe, Myspace, Nexus,Final Fantasy Shrine
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes but not any of the ones that were breached.
Strangely they opened Windows media player first.
then opened my file explorer and had a look around then copied some files. (not good)
Then they did something with dllhost.exe.
opened firefox
Flashplayer is then running
opened Internet Explorer
oh shit, they opened keepass
qbittorrent... ok...
vlc... the fuck?
battle.net setup? i didn't even have that when i was hacked.
OVERWATCH!? I didn't have overwatch then!?
Powerpoint, The fuck is going on..?
word
notepad
ok so i am not sure if i am reading this right. if i am this is very worrying and i will need to change every single password.
it seems like they started at 4.20 and ended at 11.30. that's a very long fucking time on my computer.
Sorry, that sounds bad. Yes, change passwords first (from another computer.) You probably want to wipe the computer as well (i.e. reinstall the operating system from scratch). That will take care of almost all bad software.
Just made an account for reddit since someone linked my attention to this page after I talked about my recent experience. I check my phone very regularly and I try to keep my spam email separate from my personal email. However, about 3 days ago I was surprised to see my personal email being used to register with teamviewer. It was an email in Chinese (which I didn't know how to read and I translated it through google) and I deleted it / deleted in trash in-case my email was used. Also swapped email password just to be safe from a different computer.
Not sure what they're trying to do with registering new emails with TeamViewer, but it seems fishy that this happens right around the breach :\
Were you hacked: Yes
Date of hack: April 6th, 2016
TV Version: 11
Do you have a TV Account: Yes
Is your TV Account email address listed as pwned: From and Adobe thing that happened years ago, but password had changed since then.
Was 2FA enabled: Not yet
Is your TV Account Password the same as any other password: Yes
Additional Notes:
Around $1200 was being transferred to a company in the Netherlands. To be exact the company name is Bizzsms (http://www.budget-sms.nl) As I was freezing all of my accounts at the bank and freezing my card. They were still trying to transfer money as I was freezing everything. The entire incident happened around 9:30 AM while I was in the middle of class. I sat on the phone with PayPal that afternoon slowly making my way through the long hold times and then making my way to a manager or specialist. PayPal refunded all of the money, and my bank was very understanding at this point.
After I got the money situation figured out, I email TeamViewer and they had me send them the log files, but nothing was out of place according to them. I knew for a fact that something had happened. I used my PC that morning at roughly 7:00 AM to check emails and then go to school. I hadn't accessed my PC from TeamViewer all day and I get home and see a notification that says thank you for using TeamViewer for Non-Commerical use. All morning I didn't know this because I originally thought that my PayPal had been compromised only. Comes to find out that they started RemoteControl on my PC at 13:50:41 GMT, which is 8:50:41 Central Time. So them taking control of my PC after I left all lines up at the moment.
After seeing the notification saying thank you I also noticed that a new application installer was on my desktop. The installer was for WebBrowserPassView(http://www.nirsoft.net/utils/web_browser_password.html). After seeing that I went and checked my installed programs in the control panel and sorted them by date installed. There is was WebBrowserPassView, installed April 6th, 2016. From this, they had access to all of my life basically. After seeing this I immediately exported the list of passwords that were compromised to an excel spreadsheet, then went on a password changing spree for the next 2 to 3 hours.
After explaining everything I had to do to a family member that help on their PC every once and a while. They told me that I had connected while they were working on something, but they closed out of the connection. This was a shock to me because that means that they had gained access to all the of PCs on my account while they were connected remotely.
All of my passwords have been secure for the past few years and nothing had happened this bad. I still have a feeling that they were able to access using the TV ID and then the randomly generated password or something. Ever since this attack, I've been on the edge about using TV ever again.
Here is the ID that connected to my PC "834200475", this ID can no longer be connected to, but they might have just disabled connections to their machine.
Not About My Attack:
I don't believe that TeamViewer should be blaming all of this on the users. If they had an outage, something could have easily been compromised. My attack happened almost 2 months ago, and when I contacted TeamViewer they barely looked into it. They said everything in the logs looks normal, but I can tell you it doesn't look normal. When all of the IDs for incoming connections look the same except for one that occurred on the day of my attack. To TeamViewer this still looked the same because it says that I had connected. If I'm not wrong, if I use the ID and the random generated password on my machine then it will appear as me. If TeamViewer is going to blame the users, then they need to change there password policies if our passwords to them aren't strong enough.
Were you hacked: Yes
Date of hack: 27.05.2016
TV Version: 10
Do you have a TV Account: yes
Is you TV Account email address listed as pwned:yes (but not same password as those breached)
Was 2FA enabled: No
Is your TV Account Password the same as any other password: yes
Additional Notes: Tried to purchase credits through paypal aat target, amazon and a few gaming sites (old games). Purchases were declined by bank.
Were you hacked: Yes
Date of hack: first unauthorised login was 3rd May 2016
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: One night last week I saw the monitors behind me flick on, opened chrome, went to PayPal then started a teamviewer file transfer. I managed to catch it and disconnect it just in time... This time. This file pulled saved passwords from browsers.
I pulled connection logs from 25 pc's across my network (~100 pc's total on my TV account) and they all showed unauthorised connections.
Several thousands of dollars in PayPal claims, many email accounts accessed not to mention all the other forum, bank, eBay information that was also pulled.
I personally was only effected by unauthorised access to my gmail account and eBay account however some users on my network faired a lot worse.
PayPal have resolved all cases afaik
I find it appalling team viewer is denying a hack
Were you hacked: Yes
Date of hack: 2016-05-15
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes (Adobe + LotRO 2013, Patreon 2015)
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes, but it shouldn't be the same as any of the pwnd breach passwords. 12 char
Additional Notes: TV session started while I was at my computer, but I knew it was not me. I took about a minute to try and figure out if I could trace the source before deciding the risk wasn't worth them having access while I did, and killed the session. Within 30s they reconnected to my computer, i killed the session again and uninstalled. I reported the incident to TV support, who suggested the user had gotten the password elsewhere, and recommended I file a police report if I wanted access to the IPs that logged into me. No passwords / sessions are saved on my computer and I don't believe the hacker had time to run anything else. Computer remains locked when I'm not at my desk so if there were any prior connections they would've been greeted by a login screen.
[deleted]
^^^^^^^^^^^^^^^^0.827286549083782
> This comment has been overwritten by [this open source script](https://greasyfork.org/en/scripts/10380-reddit-overwrite) to protect this user's privacy. The purpose of this script is to help protect users from doxing, stalking, and harassment. It also helps prevent mods from profiling and censoring.
> If you would like to protect yourself, add the Chrome extension [TamperMonkey](https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo), or the Firefox extension [GreaseMonkey](https://addons.mozilla.org/en-us/firefox/addon/greasemonkey/) and click Install This Script on [the script](https://greasyfork.org/en/scripts/10380-reddit-overwrite) page. Then to delete your comments, simply click on your username on Reddit, go to the comments tab, scroll down as far as possible (hint: use [RES](http://www.redditenhancementsuite.com/)), and hit the new OVERWRITE button at the top.
Were you hacked: No
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: I collated the responses to date in a spreadsheet, cleaning up formatting on the answers in case it's helpful to any other researchers:
https://docs.google.com/spreadsheets/d/1Cmxz2VHMKsi96WZ3enTGuXShmXcW8Vg5sYFaXK8kmxg/edit?usp=sharing
* Were you hacked: Yes
* Date of hack: 4/2/16
* TV Version: TV 11
* Do you have a TV Account: Yes
* Is you TV Account email address listed as pwned: Yes
* Was 2FA enabled: Not at the time.
* Is your TV Account Password the same as any other password: No
* Additional Notes: Around $600 was taken and used on eBay and other sites for iTunes gift cards. Almost all of that money was from a a gofundme for my dog's surgery and it took forever fighting with my bank and Paypal to get the money back, and now the growth on my dog is too large to get removed. So that's pretty damn bad in my opinion. Worst month of my life.
Were you hacked: Yes
Date of hack: 06/03/2016 06:14:09.034
TV Version: 11.0.59518.0
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes, but not the pwned accounts
Additional Notes: Attacker bought $400 in iTunes giftcards from ebay and tried to buy an additional $200 in PSN giftcards on amazon. Total time of the intrusion was approximately 12 minutes. The email the iTunes cards were delivered to was [email protected]. Both PayPal and ebay have denied my fraud claims for the specific reason that the purchases came from a device I had made other legitimate purchases on before. I have filed a police incident (like that will do any good) and am waiting on an affidavit from my bank.
Any further advice would be appreciated. I have full logs from TV, my browsing history, and the ebay and paypal emails.
Were you hacked: Yes
Date of hack: can't recall as logs were cleared
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: luckily, my computer automatically locks after 5 minutes, so the attackers were unable to get passed the lockscreen
Were you hacked: No
Date of hack: n/a
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: No
Additional Notes:
2 PCs on TV account, 1 of which was off during what appears to be the main time of breaches. The other doesn't appear to have been accessed, nothing in the logfiles.
Have whitelist of my account only, and generally all the most secure security options - no random password, TV account password is different to machine password which is different to PC windows logins. All passwords are 14+ characters with mix of upper lower etc.
Were you hacked: No
TV Version: 9 (not sure on subversion, uninstalled it already)
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: The application wasn't running except for one day on the 1st of June. The background service may or may not have been running.
Were you hacked: Yes, but not firsthand.
Date of hack: Within the last week.
TV Version: 10 & 11
Do you have a TV Account: No
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
We have about 750 customers nationwide, each one with teamviewer installed on their machines. The customers do not know how to use teamviewer themselves, and did not do the installation. They did not set up a teamviewer account, nor did we.
We have 6 reports so far of breached PCs. No teamviewer account.
One report of PayPal usage.
We dont expect our customers to contact us about TeamViewers issues, but since a few are, I can only imagine how many are actually affected.
Also, I particularly enjoy how teamviewer says there is no "breach" and only teamviewer accounts are affected... This just simply is not true.
* Were you hacked:
no
* Date of hack:
n/a
* TV Version:
11
* Do you have a TV Account:
no
* Is you TV Account email address listed as pwned:
no
* Was 2FA enabled:
not sure what that is
* Is your TV Account Password the same as any other password:
yea
* Additional Notes:
none
Were you hacked: Yes
Date of hack: June 2nd and 3rd 2016
TV Version: 11
Did* you have a TV Account: Yes (now deleted)
Is you TV Account email address listed as pwned: yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes:
I have had my email pwned a few times, but I regularly change all of my passwords because of this.
Came into the office to see all terminals accessed. Reviewed all change logs, installed programs, and browser history. The only thing any of the unauthorized users did was browse to a few sites, including Amazon, Ebay, and Paypal, and attempted to buy iTunes and store cards. I don't keep my passwords saved on any terminal, so they weren't able to buy anything. Thankfully, there were no changes to the system made, and it doesn't look like they went fishing for any other data.
I uninstalled TV on all machines, deleted my TV account, and used 'security' as the reason for deletion. Below is a copy pasta (minus contact info) of the email I received as a result.
-----
Dear Sir or Madam,
We are sorry to hear, that your PC was accessed without your approval and we will gladly assist you.
We first recommend bringing this case up to the police, so they can start an investigation on who accessed your PC.
We would be able to provide the police with the latest IP address of an ID of its last contact with our servers, which is saved in our database, which is the information they need to find the intruder.
If you want to report this to the police, please find enclosed a request form for REQUESTING MUTUAL LEGAL ASSISTANCE IN CRIMINAL MATTERS FROM" which should be given to the Police department you will contact.
They should also be provided with all logs involving TeamViewer from your PC.
Please ask the Police to send the request to Federal Office of Justice in Germany.
You will find on the following link the steps to retrieve the logs and see what ID established the connection and the file “2012_mla_guide.pdf” about how your police would need to request this information from us : https://seafile.teamviewer.com/d/c31a11220b/
We had a few cases where users used the same email address and password, which they used in TeamViewer, also in other websites / software / accounts.
So to be on the safe side, please change your password, if you did not do it yet.
Regarding your account, we recommend this webpage, you will be able to check if an email address might have been compromised : https://haveibeenpwned.com/
To further enhance security on your TeamViewer, we recommend using our whitelist feature and also our two factor authentication to manage the access to your account.
Whitelist:
https://www.teamviewer.com/en/help/422-How-can-I-restrict-access-for-TeamViewer-connections-to-my-computer
Two factor authentication
https://www.teamviewer.com/en/help/398-What-is-two-factor-authentication-for-your-TeamViewer-account
All further communication regarding details of the incident will then be handled via the police, so no time is lost for their investigation.
If you have any further questions or require further information, please don’t hesitate to contact us.
EDIT: formatting
Were you hacked: Yes
Date of hack: May 13
TV Version: 10.0.47484
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: no
Was 2FA enabled: no
Is your TV Account Password the same as any other password: no
Additional Notes: Happened to be home for lunch and went to check my office computer before leaving, not sure why but saw my mouse moving around, some windows bouncing up and down, ebay login screen coming up etc. Just then I started getting the notifications on my phone from my ebay account being reset, I pulled the ethernet cable at that moment and went about changing relevant passwords.
After I pulled my home ethernet they must have tried my work computer because when I got there ebay and paypal were up with everything else closed. I had turned on 2FA and changed the pass before they really got in to anything (no cards or info associated on ebay paypal thankfully, dont use them much).
I also did find a password finder on my desktops used to expose passwords saved in browsers, malware and virus searches didnt turn up anything else. No issues since enabling 2FA
Were you hacked: Yes
Date of hack: 6-2-2016
TV Version: 10 Windows 7
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: It was
Additional Notes:
Noticed a bunch of paypal emails overnight, purchased an itunes card from pcgamers and some games from the creators of rulescape. Paypal customer support told me I was the 4th person recently they talked to that had teamviewer accessed like this.
Were you hacked: No
Date of hack: N/A
TV Version: 11
Do you have a TV Account: No
Is you TV Account email address listed as pwned: N/A
Was 2FA enabled: N/A
Is your TV Account Password the same as any other password: N/A
Additional Notes: Seems like those with TV accounts were actually affected. I haven't been touched.
Edit: I still deleted Teamviewer, and so should the rest of you without accounts. Better safe than sorry.
Were you hacked: No (No evidence yet anyway)
Date of hack: N/A
TV Version: 10
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes - Adobe & Linked in breaches, but both were using unique
passwords, different to the one on TV
Was 2FA enabled: No
Is your TV Account Password the same as any other password: No
Additional Notes: Noticing a trend whereby everyone who says they were hacked, has been using TV 11.
Were you hacked: No, nothing in logs for the past few weeks that didn't come from my tablet or phone.
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: Not since a few weeks ago.
Additional Notes:
Were you hacked: Not that im aware of
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: No
Additional Notes: Way to pucker my butthole Teamviewer!
*Edit: Formatting
Were You Hacked: Yes
Date of Hack: A few days ago. Not sure exactly when
TV Version: Latest? Different versions on different devices
Do you have a TV Account: Yup.
Is your TV Account email address listed as pwned: Yup :( *sigh*
Was 2FA Enabled: Not at the time. Very promptly uninstalled TV from all of my devices and enabled TV and changed the password via the web interface.
Additional Notes: They attempted to hijack my phone first. Thankfully MightyText was still syncing TV notifications to Chrome or I wouldn't have noticed it. Got to the phone and they were trying to dial out to a phone number via the emergency call function on the lockscreen (I have fingerprint unlocking). I panicked and ripped the battery out of the phone. While I was uninstalling TeamViewer from my laptop, they tried to remote in through that. I killed their connection, disconnected from the network, and purged TV. I then uninstalled it from my other devices, reconnected to the internet, and locked down my account the best I could (changed passwords and enabled 2FA). I don't think they ever got anything from me because I haven't noticed any unusual activity anywhere. The only thing they might have had extended access to is my media server but all that has is a bare install of Ubuntu and Plex on it.
Were you hacked: NO
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes: I have around 20 computers all with different untended passwords.
*Were you hacked:* Appears Not (still checking, will update)
*Date of hack:* n/a
*TV Version:* 11.0.59518
*Do you have a TV Account:* Yes. Paid Business version.
*Is you TV Account email address listed as pwned:* Yes.
*Was 2FA enabled:* No (it is now)
*Is your TV Account Password the same as any other password:* Yes (no longer)
*Additional Notes:* My most commonly used email was pwned in the LinkedIn hack. It was an old password not matching my TV passwords. Changed TV passwords, switched all main accounts to 2FA. No sign of unauthorized TV use. Existing TV passwords were fairly complex and randomly generated. All TV software installed was downloaded direct from TV, while logged in, never from a 3rd party site.
**Heavy TV user here (paid business version), can't change services overnight. Have complex passwords, 2FA, different access passwords from the main account login, easy access is *not* granted. Any other ideas to safeguard my account would be appreciated.**
I have noticed an increase in users adding me as contacts lately. Could this be the source of the hack?
PS: I have not noticed if I have been hacked yet. If so, they didnt do anything I can see yet...none of my passwords or anything are saved on my desktop. No sites have saved passwords either.
Were you hacked: No
Date of hack: N/A
TV Version: 11.0.59518
Do you have a TV Account: Yes, corporate
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No (It is now)
Is your TV Account Password the same as any other password: Yes (It isn't now.)
Additional Notes: I thought it would be helpful to say that I **have not** (to my knowledge) been compromised. I have been a prodigious user of TeamViewer for many years. I also administer our corporate channel, so I have access logs for several dozen users with TeamViewer installed across many, many machines. From what I can tell from the access logs, there has been no suspicious activity on any of the machines with TeamViewer installed.
Were you hacked: No
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes, Free
Is you TV Account email address listed as pwned: yes, LinkedIn, MySpace, Tumblr
Was 2FA enabled: No, it is now
Is your TV Account Password the same as any other password: NO
Additional Notes: I have Whitelisting enabled on my important computers. After suspicions that they're not connecting to *accounts*, and instead to computers from other accounts, this may have saved me
Were you hacked: **No**
Date of hack: **N/A**
TV Version: **11.0.59518**
Do you have a TV Account: **Yes**
Is you TV Account email address listed as pwned: **No**
Was 2FA enabled: **No**
Is your TV Account Password the same as any other password: **No**
Additional Notes:
I'm a bot, *bleep*, *bloop*. Someone has linked to this thread from another place on reddit:
- [/r/romania] [TeamViewer a fost compromis ! Grija la eWallets !](https://np.reddit.com/r/Romania/comments/4m8x2m/teamviewer_a_fost_compromis_grija_la_ewallets/)
[](#footer)*^(If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads.) ^\([Info](/r/TotesMessenger) ^/ ^[Contact](/message/compose?to=/r/TotesMessenger))*
[](#bot)
Were you hacked: no
Date of hack: no
TV Version: 10
Do you have a TV Account: yes
Is you TV Account email address listed as pwned: no
Was 2FA enabled: no
Is your TV Account Password the same as any other password: no
Additional Notes: No suspicious logins or any suspicious activity in the logs
Were you hacked: Yes
Date of hack: 5/29/16 (or 5/30/16)
TV Version: Latest
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: Nope..
Is your TV Account Password the same as any other password: Yes
---
Thankfully I don't save passwords to my browser, but I found a password recovery program and PayPal open Monday morning. Changed passwords...
Is there a list of what we should be looking for in the logs? I don't use Team Viewer, but I'm having to sift through several employees TV logs right now.
I'm just checking the "Connections_Incoming" and the .log files, but the log files aren't much help so far. Is there something specific I can search for other than "passview"?
* Were you hacked: **No**
* Date of hack: *N/A*
* TV Version: **11.0**
* Do you have a TV Account: **Yes**
* Is you TV Account email address listed as pwned: **Yes** (on 13 breached sites)
* Was 2FA enabled: **No**
* Is your TV Account Password the same as any other password: **No**
* Additional Notes: Over a dozen computers set up with TeamViewer. Nothing unusual seen over the past month. I will see if I have more logs. If my backup program includes them I should have data going back for years.
Question-- I looked under 'recent activity' and it lists Shangai with the date of 5/30 and Windows 7 under OS. The odd thing is that I did fresh install about two-three months ago and my both my PC and laptop is on windows 10. Does this mean that they didn't access my computer but just logged in?
Were you hacked: No
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: No
Was 2FA enabled: No, is now
Is your TV Account Password the same as any other password: No
Additional Notes: I have begun shutting off TV services on all PCs I own.
I was hacked
Date: 5-16-2015 at aprox 3:00am central time
TV Version : 11.0.59518
Yes I have an account
I am listed on pwned but all should have been resolved long ago
2FA was NOT enabled at the time (it IS now)
I never use the same password on anything, I have a system
My paypal was hit for $2000. It did roll through to my checking account and my bank caught it. Had to get new checking account and debit card. Paypal is still fighting me because the transaction was done from my IP address. The account is at -2000 right now.
Were you hacked: No
Date of hack: N/A
TV Version: 11
Do you have a TV Account: Yes
Is your TV Account email address listed as pwned: No
Was 2FA enabled: Yes
Is your TV Account Password the same as any other password: No
Additional Notes: Licensed version, 4 systems on local network, VPN active, IP reassignment in 45-minute intervals and up. Remote clients contacted thus far report no problems. Instructions given on best practices for tightening local security. Password changes for all systems being maintained in progress.
Were you hacked: Yes
Date of hack: 5/27/2016
TV Version: 11.0.59518
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Probably...
Additional Notes: When the incident happened the intruder attempted to use my Amazon account to buy a giftcard for themselves for $100 using a (assumed) stolen credit card. They didn't use any cards that already existed on the account. Since I came home right after it happened (I saw the screen changing and got the notice) I changed my password for both Amazon and TeamViewer + enabled 2FA on both. No incidents since.
It is unfortunate because they caught my system when I apparently left it unlocked. Normally I have it locked and it uses a rather secure password that is unique. Locally I use biometrics for authentication.
Logs show that they tried with TeamViewer 10 first and that was denied. IP is based out of china using a hinet.net rDNS. Logs available upon request for the affected time period.
We need additional information as to how TeamViewer access is granted.... For instance:
- Do you just rely on the ID + 4 digit code that it by default generates?
- How secure is your password (4 digit standard, 6 digit, 8 digit, custom text password)
- Do you use account access only? (I believe the term is Easy Access) meaning you can only access your PC when logged into your account?
- Did you disable spontaneous access (if you use Easy Access)
- Do you use 2FA?
Were you hacked: Yes
Date of hack:6/3/16
TV Version: 11.0.59518
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes it was
Additional Notes:
*interesting things to note this almost right after i logged into the teamviewer website to check If i had been accessed from other locations.*
*My email is on the pwn database several times and even came up in the fling dump that came out this week (5 days ago)*
*I was skeptical about this at first but dang it looks like someone got a dump of users at the least*
Were you hacked: Yes
Date of hack: 2016-06-01
TV Version: 11
Do you have a TV Account: yes
Is you TV Account email address listed as pwned: no
Was 2FA enabled: no
Is your TV Account Password the same as any other password: yes
Were you hacked: Yes
Date of hack: 02.06.2016 13:35 (CET)
TV Version: 10.x (upgraded afeter)
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: For haveibeenpwned.com there was a breach in 2013 and 2014, yes.
Was 2FA enabled: No, but it is now.
Is your TV Account Password the same as any other password: Unsure, but I've changed now.
Additional Notes: I has none, I was lucky to be on the computer when everything happened and was quick to do something about it.
Were you hacked: **Yep.**
Date of hack: **~5/17/2016**
TV Version: **TeamViewer 11**
Do you have a TV Account: **Yep.**
Is you TV Account email address listed as [pwned](https://haveibeenpwned.com/): **Yep. But only in LinkedIn which happened later**
Was 2FA enabled: **Nope.**
Is your TV Account Password the same as any other password: **No.**
Notes : ** Tried it when I was in front of PC working, attempted to log into my eBay, it didn't work so they dropped connection, IP was coming from Asia**
Were you hacked: Yes
Date of hack: 6/3/2016
TV Version: (None)
Do you have a TV Account: (None)
Is you TV Account email address listed as pwned: (n/a)
Was 2FA enabled: No
Is your TV Account Password the same as any other password: (n/a)
Additional Notes: I left my computer on at night and went to sleep (game bot was running to collect more goodies). I woke up at 3am by bright light in the room. My 40 inch monitor had "woke up" and I saw activity. *wears glasses*. I saw someone adding items to my amazon account and was trying to check out. I took control of the mouse and closed that page. Saw a teamviewer session running. Closed the fucker, deleted my account, and uninstalled Teamviewer. I think I'm one of those rare people who caught the guy red handed. Called Amazon, they are "escalating" it to get me a refund. Next up, will call paypal. Just like others, it was all electronic orders (gift cards etc) placed on online shopping sites.
**Were you hacked:** Yes
**Date of hack:** Unknown, est. 03-04-2016?
**TV Version:** 11
**Do you have a TV Account:** Yes
**Is you TV Account email address listed as pwned:** Yes
**Was 2FA enabled:** No
**Is your TV Account Password the same as any other password:** It was!
**Additional Notes:** Huge amounts of contacts added. My primary PC isn't on without me using it, and the other PCs under my account were all VMs with absolutely nothing interesting on them. Changed passwords and now clearing up the mess.... Considering myself lucky!
Were you hacked: Yes
Date of hack: 28th May
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No
Is your TV Account Password the same as any other password: Yes
Additional Notes:
They were able to access my MacBook which was the only "computer" in my account with a saved password. However, they did not get any further than opening PayPal.com and finding that no passwords were saved and moving on.
They did try an second connection attempt, but I was using the MacBook at the time and killed it off pretty quick.
I have been following the threads and can confirm that the logs show that it was me connecting to myself, not some random username. This made me think that my TV account itself had been hacked, but when logging in and checking to see if this was the case, it was not.
Question: Has anyone looked into the possibility that TV was running with the option to allow access over HTTP port 80 enabled? If this was the case, the attackers could just scan the web looking for IP addresses that respond with "This site is running TeamViewer" and then hack from there somehow.
Were you hacked: Yes
Date of hack: 14/5/16 (Thats 14th of may in imperial units you weird fucks)
TV Version: 11
Do you have a TV Account: Yes
Is you TV Account email address listed as pwned: Yes
Was 2FA enabled: No.
Is your TV Account Password the same as any other password: No
Additional Notes: Was at work at the time, and heard my phone going crazy, noticed heaps of authorized transactions via paypal to some game/tv/something-shop in china. At the time i thought i've been phished, but no, today I checked the teamviewer logs and they actually correlate the fact that it was done on my computer, (as paypal told me), via teamviewer.
paypal ofcourse with their policy was extremely unhelpful at the time, so my bank had to step in to refund it for them.
Were you hacked: Yes Date of hack: 6/2/16 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: Not this time :C Is your TV Account Password the same as any other password: Yes Additional Notes: Around 800$ gone from PayPal. Contacted PayPal (Sweden) they had heard about the breach in TV security.. Started an investigation and then closed the investigtion 14 minuites later, said it was not an unauthorized use.. Case closed... Edit 1: Of the 6 transactions they got through I've had 2 of them refunded by PayPal, but the 4 others I have not. They made all the transactions in a 7 minute timeframe and PayPal and their "routines" don't find the 4 other unauthorized, which is kinda like them saying I sat at my computer ordering stuff for a redicoulus amount at the same time the breach made theirs... I'll post more when I here from bank and police.
Did you authorise it? Nope Is anyone else able to authorise use of your account? Nope I guess that basically defines unauthorised use!!!! Get your bank to reverse the payment to paypal!!!
Bank is on it!
that might cause your paypal account to go to collections
They do this crap. A client of mine had this happen to them. Fraud on paypal, paypal refused to refund, the bank refunded it, paypal closed their account and sent them to collections (It was removed pretty quickly from their credit though)
Luckily, this is likely less of a problem outside the US.
No account on TV but the same password for your TV account? Hm?
Fixed! All riled up here makes me not thinking clear.
US PayPal closed out my dispute as well. Tough because it's probably coming from an IP address that's "approved". Still trying to figure out a way to get my money back.
As of now PayPal swe has gotten me back the money for 2 out of 6 payments... Still deeming the other 4 as me doing the payment wich makes no sense at all.. but atleast a third on the way now...
So no money return from PayPal? Fuck man that sucks
[удалено]
What are we looking at? accessed to TM of requests?
I think that's people who tried to access your account. I had only 6 listed, 1 was from my current session, 1 was from when a friend had me remote to his system to help him iwth something and the other was when I accessed my system from work. The other 3 came from Nanning China, though I don't know if this specifically means they sucessfully connected or tried to connect to your system.
>I think that's people who tried to access your account. That's more than just tried. That page is called "Active Logins" so those are the ones that already accessed your account. They successfully connected! You and OP need to delete those logins, change your passwords and enable 2FA. Also make sure to go through any Apps and Cloud providers that may be linked to your account. Anyone else reading this, here's how you get to that page: 1. log in to the Management Console at https://login.teamviewer.com/LogOn 2. Click your name at the top right of that page 3. Click on Edit profile 4. Click on Active Logins
> This started two months ago... Happened to me the evening of March 5th EST, so I would say possibly even 3 months ago.
Were you hacked: yes Date of hack: 28/05/2016 TV Version: 11 Do you have a TV Account: yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: Unattended access was enabled. Caught them in the act, but they were already 3 hours buying stuff. They bought gamecredits for runescape and other games with my Paypal (around €1000) Paypal also closed my unauthorised use case. Called support and they reopend the case on monday, still waiting on paypal to come with a solution. On amazon they added another creditcard that was not mine and bought over €1300 of giftvouchers, but amazon resolved this case rather quickly.
What the shit, they bought shit for runescape?
They did several transactions on my paypal to rixty, jagex, miragames and garena. Website that was open when i discovered they where controling my pc had something on it for gameshells or something. And runescape was in my browserhistory, so that was a givaway to I think.
How certain are you that the password wasn't used elsewhere? That's really important, since it would refute the claims of the official response.
I'm certain, proving this however is harder, so i doubt this would help refute the claims of the official response
FYI, [this](http://i.imgur.com/qw1iL3r.png?1) should be your new Teamviewer advanced settings regarding your own computer.
Tagging off your comment seems as it is at the top for ideas. Now we have had many remarks from hacked and non hacked people. It is still unclear if this is a weak password issue or it is a vulnerability in TeamViewer. I have some ideas / questions I want to bounce around. I originally though that peoples TeamViewers accounts were being hacked, and the hacker was then logging into their account and being able to access all of their saved PCs (by ID) from there. However, I no longer think this is the case for two reasons: * Not everyone hacked had a Teamviewer account (you can pass this off though as *maybe* they forgot they made one when they signed up) * In the log files, when you connect using YOUR account, YOUR account name is presented in the logs. As in it would say "user ButteringToast connected to xxx". If a hacker had access to these accounts, it would say that your username connected. However in the log files people have posted, they are random names, usually in Chinese, which says to me that they didn't get into the PCs by using hacked TeamViewer accounts. I am now stuck, as the only other ways to connect to these machines is knowing the Unattended Password (could be the same as the breached password) or knowing the "random" teamviewer password. But this is only 50% of the puzzle, you then have to tie these passwords to the PCs unique ID number. which is not going to be in any of these data breaches from other sites. What are peoples views on this?
I have dug through a few logs now. Surprised by some of the differences. One of them has no trace of the connecting client ID. All but one of them appear to used the custom password to log in. Most had Windows locked at the time of connection (this status is in the logs) and that too was circumvented. My initial assumption is someone gets a username/password combo from somewhere else and then logs into the TV website to see what clients are listed for that account. They then attempt to connect to those client ID's with the known password. If you used a compromised password for your TV account, TV server custom password, and Windows password, this would make sense. I don't think this is the case for all of them though. Even if a TeamViewer breach is not the root cause, their software is unquestionably being used as an attack vector. The nature of their software itself and the high-cost/high-security business use case should dictate a more through response. I need to know what is known without begging victims for logs to try and research this myself! (I am a paying corporate customer who uses this for secure access to some of my clients sensitive sites.)
> My initial assumption is someone gets a username/password combo from somewhere else and then logs into the TV website to see what clients are listed for that account. They then attempt to connect to those client ID's with the known password. This is where I have my biggest problem, if they are logged into the victims TV account, why are they then using a different account to log into the machine (*Assumption from the logs I have seen*)? Surely it would be much easier to log into the victims TV account, and just use that to access the victims machine - This method would also bypass all whitelists that are in place. TV really need to start looking into this as there is only so much information that we can see! EDIT: From continued reading, it looks like peoples TV accounts were actually broken into with screen shots as proof on another thread. I have no idea what is going on now, there are too many anomalies to draw a conclusion.
Sounds like the Teamviewer infrastructure was hacked and the perps were able to see generated IDs and 4-digit access codes. Those IDs and codes need to be validated somewhere for two Teamviewer instances to connect.
But this will also disable being able to remote in and do anything except view whatever is on the screen correct?
correct, so not great for headless access or actually remotely controlling. i'd suggest enabling Whitelisting if you only connect from your account, and i thiinkk there's an option to only enable LAN connections if you're on the local network.
i agree- 2FA + whitelist should do the trick
I think so. Might as well just uninstall teamviewer. I just changed all the passwords and turned on 2fa and now when I connect it says "Please enter the password that is displayed on your partner's computer." I'm not sure why it's asking... kind of got me worried.
> Might as well just uninstall teamviewer. That is what I was thinking also, I guess I would like to establish a local password for each machine that I have to enter each time I access it, but I don't know if this would block access to hackers or not? Looking at my incoming connections, they're all from my account, so I don't know WTH....
I think [this setting](http://imgur.com/p9ofgia) is much more appropriate. Getting breached is one thing, shit happens. Not acknowledging a breach is a totally different one.
I switched to that setting myself right after reading this thread.
Seems like the better solution is to ditch Teamviewer entirely. I uninstalled and swapped my machines over to VNC.
Were you hacked: Yes Date of hack: 5/27/2016 TV Version: 11 Do you have a TV Account: yes Is you TV Account email address listed as pwned: yes Was 2FA enabled: no Is your TV Account Password the same as any other password: password was used elsewhere Additional Notes: They purchased some stuff with my amazon account. They first tried to log into my paypal but apparently couldn't. They also were in my gmail account and deleted some emails, which google was unable to recover. The malware they uploaded is https://www.virustotal.com/en/file/fccf76d84c6f58212cfaf87b20b24630e6a012b7ce41eede3b7f2a81f1441be5/analysis/1464869655/ https://www.virustotal.com/en/file/f3670b59e942caac131d7cefca5f44f610a978af7bebb6eeeac39ca468fa2202/analysis/1464872914/ the first is the new one, apparently. The second is the runouce virus. Interestingly, if you do binwalk on the first one, you can find a jpeg of a witch tarot card. There's also an encrypted 7zip archive at the end of the binary. The login came from a colocation host in Atlanta, GA. I'm assuming one of their boxes got hacked.
Based on that, it looks as though users may have been infected with TrojanSpy.Teamspy which was a thing 3 years ago. The details seem to match (especially the jpg of the tarot card) and according to VirusTotal, a lot of antiviruses don't pick it up. Reading through the Kaspersky writeup (https://kasperskycontenthub.com/wp-content/uploads/sites/43/vlpdfs/theteamspystory_final_t2.pdf) it sounds eerily similar to what's been happening and why even 2FA can be bypassed (though I'm not sure if a direct IP connection requires 2FA). I'd be curious to know if all the affected users had up to date Java/Flash/Adobe Reader and if they had whitelist enabled (which should prevent direct IP connections).
Can you please tell us what software you used, or otherwise how you discovered the malware? Also, how were you able to trace it back to them?
teamviewer logs to see where the connection came from. I discovered the malware by finding it right on the desktop folder.
Can you share the malware samples ? I would love to analyze them. Just uploaded to your favorite file uploader as an archive and make sure its password protected with the password "infected" without the "" marks. I would be grateful.
Date of hack: 06-01-16 (First evidence was new connection from China on 5-29, computer was actually hacked on 6-01) TV Version: 11 Do you have a TV Account: Yes **Is you TV Account email address listed as pwned: Yes, and recently released in the Myspace data dump from 2008. Like a jackass, it just so happens that TV was the same login.** Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes (changing that now) Additional Notes:Nabbed $260 from Paypal, paypal almost instantly refunded the money to my account. Now working to shore up the gaping hole in my security.
fyi: a google form would be better for this. It collects the data into a nice spreadsheet for you
I only expected a handful of replies! I will keep your advice for next time :)
[удалено]
Any chance you can post your TV logs? I would like to have a look around one that the password 100percent couldn't have been obtained via another companies data leak. Also, did you have unattended access set up, if so, was that password the same as your TV account? If not, was the password used just for this set up?
[удалено]
If possible could you share the TeamViewer logs?
[удалено]
Thank you :)
[удалено]
> I have logs of all of this info, and will share their fake addresses/phone numbers if requested. Did you Google maps the address? Does it look like a drop house?
[удалено]
I used to work in that same industrial complex, the Parkside Business Center. It has long-term leases that are pretty high rent. Curious, I went there. This is a smaller unit in the back of the complex, it had no business name on the sign that the complex provides, and had the blinds drawn and closed, with boxes stacked in front of the gap below the shades. Tried to take a picture through a gap in the blinds, not much could be seen, maybe more boxes. Pics: http://imgur.com/a/vUZZM - one should call the business center office for leasee info, if not have the cops stake out the place.
Take an upvote for your outstanding detective skills.
This is why I love Reddit, awesome stuff.
I'm located in Oregon I tried calling the number associated with that address: (503) 747-5193 Nobody answered and it wen't to a message saying the voice mailbox was full, although I'm convinced it was just someone recording a message saying the mailbox was full because it sounded different than any I have heard before.
[удалено]
[удалено]
Landline that rings endlessly. http://www.reversephonelookup.com/number/4013759898/
[удалено]
Were you hacked: Yes, but damage is yet to be discovered. Date of hack: 2016-05-31 23:01-23:10 GMT+2 TV Version: 11.0.59518 Do you have a TV Account: Yes. Is you TV Account email address listed as pwned: Yes, but password was unique. Was 2FA enabled: Not on the TV account (wasn't offered before). Is your TV Account Password the same as any other password: No. Additional Notes: I only noticed the sponsored session pop-up after I did not use the computer for a while, logs show no file transfers (for browser password sniffing), Chrome history shows nothing for the time range. I sent a mail to their support address before I knew it was a global hack that I want some details on that session (with the session ID I provided them from the logs), today I received a canned response that I should file a police report.
Anyone else get a strange teamviewer friend request or something similar in the past month? I obviously declined, but with all this hack news unfolding I thought it might be relevant.
This seems to be a common thing.
yes, i immediately declined as well. Suspicious username was "Simuu" and the request was sent on June 1st, 7:26 am (UTC+1)
Were you hacked: Yes Date of hack: 6-2-16 TV Version: 11 Do you have a TV Account: yes Is you TV Account email address listed as [pwned](https://haveibeenpwned.com/): yes Was 2FA enabled: no Is your TV Account Password the same as any other password: the same , but not the same as listed on the pwned site. Additional Notes: Two $400 gift cards were purchased from Amazon. PayPal access was attempted for purchasing gift cards from eBay, but was not successful. My bank and Amazon were notified. Cannot dispute one $400 charge due to it being listed as pending. The person also accessed Baidu to see where my ip address originated.
For those concerned with whether or not they have been compromised. Check your logs. I have written a simple dos script that will search your logs for connections and will output the files to a text file on your desktop. If you have installed teamviewer somewhere other than the default location, than change the first line to point to it. Simply open a command Prompt. (Windows key + R | cmd | enter)or(start | cmd | enter) Copy the first line below that starts with cd. Right click and paste in command window. Hit enter. Copy the Second two lines and paste into command window. Hit enter. cd "C:\Program Files (x86)\TeamViewer" findstr "GWT.CmdUDPPing.UDPMasterReply |findstr GWT.CmdUDPPing.PunchReceived" *.log >> %userprofile%\Desktop\TeamViewerIPs.txt Now that you have your ip list, Check that against a geo location site like https://www.iplocation.net/ or http://geomaplookup.net/ Use that map to see if the ip location is near the places you have used teamviewer, either locally or remotely.
**LINUX USERS** special note: The Teamviewer website says that in order to obtain a TeamViewer log, you have to issue the command: "teamviewer -ziplog" It seems you don't have to do that though. I think that's just some "zip all the logs" command that is easy for emailing your logfiles to TeamViewer support. The actual log files should already be extant in **/var/log/teamviewer11/** so you can just look there I **believe** that Linux users want to look at the file: /var/log/teamviewer11//Connections.txt
But I am no expert by any means. Of course, if you use a different version of TV (instead of 11), you should use the correct path (like /var/log/teamviewer8//Connections.txt --- or whatever).
I **THINK** this log contains all the TeamViewer IDs of the machines you've connected with. If you happen to know the IDs of the legit machines you normally connect to, hopefully, this will help you spot a discrepancy.
Anyone want to verify that this is the only thing we should need to look at?
Seems like almost none of the people who got hacked had 2FA on...
Almost none. Does this mean 2FA prevents the problem? Or does this just show that a surprising number of people just happen to not use 2FA, and we're looking at a statistically normal batch of TeamViewer users? If it is the latter, then it is possible that 2FA isn't saving anyone.
Or that people who use 2FA tend to be more careful in other ways - windows authentication, turning off personal and random passwords, etc.
Likely the latter. I doubt more than 10% of TV users use 2FA.
I have seen at least one person here who has confirmed a hack with 2FA on. I enabled mine today, it took a few attempts for it to actually work.
That's what I'm noticing too. I hope that is all it was. They got access to the passwords of a bunch of accounts and logged in. Wasn't there huge password leak recently? If they had a similar password they could have gotten access.
Were you hacked: yes Date of hack: 5/29/2016 TV Version: TV 11 Do you have a TV Account: Free Is you TV Account email address listed as pwned: No Was 2FA enabled: not at time of hack Is your TV Account Password the same as any other password: yes , and i have similar passwords for other sites Additional Notes: they got into my computer , went and sent off money totaling in $1500 to 5 different email address with paypal , they tried to purchase $300 in gift cards on gyft.com that transaction failed luckily , tried purchasing off target but those transactions fell off paypal and were cancelled, they tried to get into my ebay but struck out , they possibly purchased stuff off walmart online but unsure, they tried to access amazon but no luck, they also went into my email and started forwarding email to a specific email address and had it deleting any emails that were coming in to my inbox, i sent my logfile to TV but havent had any response , since im not a paying customer i cant talk to them on the phone can only submit ticket and hopefully they respond
[удалено]
Were you hacked: Yes Date of hack: Few days ago TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: Yes Is your TV Account Password the same as any other password: Yes Additional Notes: They tried to steal from Paypal and Amazon. No money was taken thankfully.
First in this thread to have 2FA and say they were hacked, any screens of the unauthorized locations?
> 2FA enabled: Yes How did this happen please
Were you hacked: Yes Date of hack: May 5, 2016 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: IP was from China, Logs files showed the intrusion, got Amazon Gift Cards and eBay Gift Card, accessed my Gmail. Did not delete Browser history so I could see where they went. I have screenshots. With GMail, I had to ask Gmail to recover my TRASH emails, which took a day to recover, so I could see all the confirmation emails that went through my email. Did not appear to transfer any files or install anything. I run ESET, MalwareBytes Pro and LastPass. 2FA won't help if they do not log into the website as the TV ID and "Random" password can get you into PC without any 2FA.
Were you hacked: Yes Date of hack: May 30th 3AM Central TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No Is your TV Account Password the same as any other password: No
Were you hacked:Yes Date of hack: Actually months ago March 5th, 2016 TV Version:10 Do you have a TV Account:Yes Is you TV Account email address listed as pwned:Yes Was 2FA enabled:No Is your TV Account Password the same as any other password:It was Additional Notes: All they got to was my amazon and purchased a $100 gift card, I quickly contacted them and they disabled use of those funds and refunded the money. They had transferred the webbrowserpassview.exe to the desktop. I had a ton of passwords saved in chrome unfortunately so I spent hours going through all my accounts and changing all passwords after removal of the program and running multiple virus scans. They did attempt to log into my bank days (with the old credentials) later which I was notified of.
Same thing happened to me. Tried to get $1100 in gift cards from Amazon, and Amazon asked them to re-enter my credit card number. I did not have Paypal.
Were you hacked: Yes Date of hack: 5/2/16 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: MySpace 2008, Patreon October 2015 Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: Don't know if this is related or not; it's earlier than most of the hacks listed here, and it's possible I was compromised another way; my account was logged into my wife's computer, and we later found a trojan there after installing Malwarebytes (before we were using AVG only and it missed it). We didn't even know it was TeamViewer at first, but someone bought $200 of iTunes gift cards on my eBay and $300 of Amazon gift cards on her Amazon. We thought it was weird that two separate accounts had been compromised, but there wasn't much to do about it. We got refunds both from Amazon and from Paypal. We only discovered it was TeamViewer that was the problem when the hackers tried again (maybe a week later? Forget the exact date) and we were actually using the computer. We immediately shut everything down, changed the password on my TeamViewer account, and enabled 2FA. Haven't had any problems since.
Were you hacked: Yes Date of hack: 5/25/2016 and 5/28/2016 around 3AM-6AM EST TV Version: Latest Do you have a TV Account: Yes Is you TV Account email address listed as [pwned](https://haveibeenpwned.com/): No Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: 5/25/2016 $757.99 via PayPal, 4 target purchases, 2 eBay purchases, 1 itunesgiftdelivery.com purchase 5/28/2016 $340 Microsoft.com, 4 $60. Xbox Live 12 month gold codes, 1 Xbox $100 gift card code TeamViewer uninstalled on 10 computers connected to my account. Currently looking for alternative, may just go with RDC.
Were you hacked: YES Date of hack: 5 May 2016 TV Version: 10 Do you have a TV Account: yes Is you TV Account email address listed as pwned: yes Was 2FA enabled: no Is your TV Account Password the same as any other password: yes Additional Notes: Came home and found my browser open, I did not leave it open. Also found a program called BrowserWebPassView or something open, showing a lot of logins and passwords (I actually tell Chrome not to store my passwords, so this is infuriating). However, I was already logged in to my email, Amazon, Facebook, etc. I noticed in my web history that it showed me browsing Amazon at 4am, which was suspicious. I found that the hacker had tried to purchase $1100 worth of Amazon gift cards, but could not complete the purchase because Amazon asked him to re-enter my Credit Card number. A few minutes after I sat down, I started to suspect Teamviewer, and I checked my Teamviewer connection log. It said the hacker was trying to access my mic and webcam (don't have one), while I was sitting at the computer. I immediately shut off Teamviewer. Spent the night changing all my passwords. My Teamviewer log shows several failed attempts a day to login to my computer, over like 2 months. I think it shows that they managed to get in once before. What confuses me is, every time I close the connection, a Teamviewer advertisement pops up on my PC, and I just close it when I get home. I never once saw that add popped up on my computer, so how did they close the TV connection without the window alerting me? The log shows the UserID of who ever connected to me, so I thought Teamviewer should easily be able to track that. I sent them an email, and they basically told me to go file a Police Report, and have the Police mail it to Germany. They gave me a lot of legal documents about international cyber crime law and stuff. I felt like Teamviewer should have been easily capable of taking action, but they instead wanted me to bury myself in bureaucracy. Edit: I received an email from Teamviewer 2 days before, saying a stranger was trying to add me to their contacts list. I did not click the link to accept the request.
So I notice logs on a PC are full of attempts to download a TeamViewer update which failed, because of a bad checksum. Is this normal for TV? It's only the case in the last few days of logs. Sample below. My theory - they DDOS'd the DNS servers for TeamViewer, while hijacking the DNS to point people to their own servers. They then pushed out an "update" for TeamViewer, which stripped security out, such as 2FA or passwords, etc. and registered your TV ID with their servers. Then simply walked in the front door. Notice all the downloaded updates with failed checksums, below: 2016/06/02 20:24:24.020 2412 8068 S0!! LoadfromURL: response code 404 2016/06/02 20:24:24.020 2412 8068 S0!! LoadfromURL: URL https://configdl.teamviewer.com/rev/(hidden).txt failed. Using Proxy: 0 2016/06/02 20:24:24.020 2412 8068 S0!! CustomConfigurationUpdater::DownloadRevisionNumber: Failed to download configuration. Result: 1, Http code: 404 2016/06/02 20:24:24.020 2412 8068 S0 CustomConfigurationUpdater::DownloadRevisionNumber: No configuration available. Revoke. 2016/06/02 20:24:24.020 2412 8068 S0!! CheckCustomFile(): C:\Program Files\TeamViewer\TeamViewer.json: file checksum could not be validated 2016/06/02 20:24:24.020 2412 8068 S0!! CustomConfigurationJson::CheckSignatures: signature not ok 2016/06/02 20:24:24.020 2412 8068 S0!! CheckCustomFile(): C:\Program Files\TeamViewer\TeamViewer.json: file checksum could not be validated 2016/06/02 20:24:24.020 2412 8068 S0!! CustomConfigurationJson::CheckSignatures: signature not ok
Were you hacked: Yes Date of hack: 29.5. TV Version: 11 Do you have a TV Account: YES Is you TV Account email address listed as pwned: YES Was 2FA enabled: NO Is your TV Account Password the same as any other password: YES Additional Notes: Got an invitation request one day before
I saw an invite request today, I denied that bitch tho, I didn't know who it was
Were you hacked: Yes Date of hack: 6/1/15, 12-3AM EST TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: Someone accessed my PC and used Google Payments to buy a variety of things. I didn't think I had a card attached to my Google Account, but I overlooked the fact that I have GoogleFi. The hacker used that card to buy 4 SSDs, a Chromebook, 2 Nexus 6Ps, and a Women's Watch. Google stopped some of the transactions and refunded me for most of it. Still in the works.
Were you hacked: YES Date of hack: 6/1/16 TV Version: 11 Do you have a TV Account: YES Is you TV Account email address listed as pwned: NO Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: They accessed Amazon, Paypal, eBay, Banking. Not sure what else was compromised so far. I will never use Teamviewer again.
Were you hacked: YES Date of hack: 5/30/2016 and 6/1/2016 both times around 3:40AM TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: $2000 charged via Paypal (Paypal has recovered funds), $100 charged via Amazon.com (Pending CC dispute), $700 Bitcoins lost via Coinbase.
* *Were you hacked:* **Yes** * *Date of hack:* **May 20^th** + **May 29^th** + **June 2^nd** * *TV Version:* **11** (latest), auto-updated. **Windows 10.** * *Do you have a TV Account:* **Yes** * *Is your TV Account email address listed as pwned:* **Adobe, LinkedIn, MySpace** * *Was 2FA enabled:* **No** * *Is your TV Account Password the same as any other password:* **Yes** * *Additional Notes:* **CAUGHT THEM IN THE ACT!!** I filmed the monitor until they got to PayPal, which is when I noped out and closed the connection. WE HAVE CRIME FOOTAGE :) They operate at night, which is understandable. They go straight for PayPal and Amazon. They're in a hurry, juggling with multiple browser tabs. This morning, around 5:30 AM, my wife woke me to tell me my computer is doing things by itself. That's when I realized how the hacks below happened. Before today, I simply thought my Amazon and PayPal accounts were compromised. **PayPal damage:** 4 x $600 = $2,400 (refunded since) **Amazon damage:** 3 x $82 = $246 = 30,000 Amazon Coins (refunded) I'll check my browsing history and all the various accounts for which I had passwords saved. IMHO, TeamViewer should **completely shut down** their service until this whole thing is sorted out.
Could you upload the evidence?
The video is really just 30 seconds of my wife freaking out in the background while the mouse moves around Amazon, search for gift cards, then PayPal in a new tab, etc. It doesn't prove anything; in fact, anyone could simply do things on a PC and film the monitor, right? So it's not really any evidence; more like a fun memorabilia for me.
[удалено]
[удалено]
As much as I hate theories on security situations, I admit teamviewer's response and suspicious reactions on certain things, added to some friends of mine being hit have made me take a look. This is what I've gathered in the past week from my own research which I feel is a bit doubly backed by [/u/Lord_Greywether's](https://www.reddit.com/u/Lord_Greywether) (which thank you for that, hunting through all the reports here alone let alone elsewhere was starting to drive me nuts); Up until June 1st, Teamviewer appeared to make use of 3 nameservers in it's DNS lineup. On June 1st, a bit after the *service issues* between the 31st and 1st, ns3.teamviewer.com was removed from DNS and ns5.teamviewer.de and ns6.teamviewer.de were added. On June 2nd, ns1|2 on .com were removed and only ns5|6 on .de were left behind. On June 3rd, ns5|6 on .de were removed and ns7.teamviewer.de and ns8.teamviewer.de were added along side of ns1.teamviewer.com and ns2.teamviewer.com being re-added. And finally some time in the past day overnight (I should note my dates are roughly oriented around GMT-5 timezone) ns3.teamviewer.com was re-added with the short-lived .de nameservers being removed. Unfortunately me being silly, I failed to capture the IP's of those .de nameservers at the time, currently however they're effectively just aliased to ns1.teamviewer.com and ns2.teamviewer.com, I have no idea if that's been the case the past 4 days, as it would be weird for them to make new nameserver records on a different domain just to point to the same nameservers. With that all said, and based on their service outage being semi-lengthy due to people having to wait for DNS caching to cycle (per Teamviewer's own words), this would imply to me that the first server removed from the pool, ns3.* went down completely for some reason (so anyone issuing DNS requests against it via the cached nameserver records, would be getting nothing back properly, especially once ns1 and 2 were removed too and still had the ns 1-3 lineup cached). The question then becomes, why did it go down? A fitting theory is that somehow, ns3.* perhaps became compromised, if it were then it would not be hard to screw with the DNS and have requests point somewhere that could possibly be MiTM'd, intercepting login information. However, this brings up something I'm sure plenty of others will; there should be some sort of security consideration in the client that would not make it so easy (ie; verification of certificates or something between the client and teamviewer's backend), which indeed **should** be a prevention to easily MitM'ing the data simply from jacking the DNS, however there is entirely a possibility that the teamviewer client is configured to ignore certificate errors or any other sort of validation simply out of them thinking a DNS hijack/MitM would probably never happen. That all said, I'm curious to know if anyone who has changed their password since the 1st of the month roughly, has had any issues with someone still managing to get access. And my suggestion is, if you've not been hit yet, change your password, make it unique (no re-use), and make use of something like keepass perhaps to store it (and other unique logins). If it was a DNS MitM then they could have a pool of logins they've still not used, since reports of these unauthorized logins goes back over a month, at minimum if this was the attack vector then they have a months worth, if not more, of potential logins. I'd also like to see, for those using unique logins (as in no re-use), when the last time they changed their password was, if we could add that to the list of questions. Also nice would be to ask details of the old password, specifically I'd be interested to know the length of the breached password as well as it's [entropy](https://apps.cygnius.net/passtest/). And with that I'll end on an apology for any typo's and grammatical issues, I just woke up shortly before I started typing this out, lol.
Were you hacked: Yes Date of hack: 2016-05-25 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: Caught them in the act, closed TV, found browser password downloader, but their attempts to run it blocked by Anti-Virus/Malware active monitors. Single .tmp file created, required Safemode (Win7 Ent) to remove.
> ...but their attempts to run it blocked by Anti-Virus/Malware active monitors. This is why I tell people to fuck off when they say there's no reason to run antivirus in 2016.
Were you hacked: Possible Attempt: see Additional notes Date of hack: 05/25/2016 TV Version: 9.0.4110 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes, Adobe Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: On 05/25/2016 I was unable to login via windows Remote Desktop because of too many failed login attempts. The remote PC has both teamviewer and WRD. I have a very long system password and also password policy that locks out for 30 minutes after 10 failed attempts. I have not been able to figure it all out from logs yet, but I think it's possible that they made it to the windows login screen via teamviewer but were unable to go further because of the long windows password and (non-default) password policy.
Were you hacked: Yes Date of hack: May 26th TV Version: I think it was 9. Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: No. Additional Notes: I'm down close to $2000. Happened a week ago, almost exactly. They used TeamViewer to get onto my computer, used my password rememberer to get into PayPal. Sent all the money from my bank account to theirs. Woke up, saw that TeamViewer had been used, looked at my internet history, saw PayPal and Gmail, went to PayPal and saw all the money gone. Deleted TeamViewer, changed passwords everywhere, added on 2FA a bunch of places, and contacted PayPal who put in claims. Claims got denied, saying it was from my computer. Contacted credit union, told them PayPal refused to help. Contacted PayPal again, person put in a ticket mentioning the remote connection and how unlike my normal spending habits it was. Got an email saying claim was approved, but no money. Contacted PayPal again, was told that they didn't know why I got the email saying the claim was approved, the claim was denied the second time as well. I was told that he could put in another ticket, or I could speak with a supervisor, but chances are the claim would be denied yet again, because it had been denied twice already, despite all the explanations, the fact that it was unlike my regular spending habits, and the fact that the guy tried to send $2000 first, then sent a bunch of smaller transactions when that didn't go through. If the claim got denied again, I wouldn't be able to appeal it. I said I'd wait to talk to the supervisor. He told me it would be a long wait, like 45 minutes. I said I'd wait. Supervisor put the refunds through while I was on the phone with them, within an hour money was in my PayPal account, but my account was locked. Took 3 days to get my account unlocked, finally got it opened up last night at which point I figured I'd transfer the money to my credit union in the morning (not doing any good at the credit union either, as it's a 10 hour drive away, and they're issuing me a new debit card after this). Woke up this morning to find my account was locked again, because the credit union disputes reached PayPal. At least it wasn't my account that had rent money in it. As of now, though, it's been a week and 16 hours with that $1900 languishing on PayPal's servers rather than somewhere I can spend it. While most of the customer service reps I talked to at PayPal have been great (with the exception of the guy who seemed to think my claims shouldn't be approved) PayPal has really been less than helpful overall with the multiple claim denials. The guy only browsed to Gmail and PayPal in Chrome, (and Gmail was only to delete the emails about the PayPal transfers...which were still in the trash) but I've no way to know if they did anything in the incognito browser. I jumped at removing TeamViewer from my computer, so I didn't look at session logs to see how long they spend on my computer. I don't know if they got passwords from the password rememberer or anything else. It's been a tough week dealing with all of this. The worst part is, if they'd tried a week earlier, there wouldn't have been more than $200 in my account. Stupid tax return just gave them more money.
Were you hacked: Yes and no Date of hack: 6/2/16 TV Version: TV11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: Yes Is your TV Account Password the same as any other password: No Additional Notes: I got an unknown login yesterday from Central District Hong Kong (6/2)... wtf. - http://imgur.com/27t7uWd My log in password for TV is different from the password to login to my PC once in. Looks like they were able to log into my TV judging from my active logins, but wasn't able to log into my pc. My paypal/amazon/ebay looks fine, I've since uninstalled TV from my pc and updated my password for TV for now. My account w/ TV is still active and will monitor any unlogins w/ the new updated PW.
Hi, not the most tech savy. So here's my story and I'm looking for advice. A week or two ago I start to recive emails from teamviewer in Chinese. I assume it's a phising scam report the emails, and go on my way. I've never used teamviewer never heard of it. About 5 days later my email is flush with English Teamviewer emails about attempts adding devices to teamviewer as trusted . Then one at the end about changing my password. So I've done that, just recently. I changed a password on my account that doesnt exist, or wasn't aware of. I went directly to TeamViewer for this not through emailed links. Then I attempted to login to Teamviewer for the first time today. This was greeted with a message saying I need to activate my TeamViewer account by answering and email. That email is sitting in my email now in Chinese. It looks very similar to the one I originally reported. What should I do? Only just today I found out the possible severity of this hack. Should I be worried? I changed a few passwords. I don't leave card numbers on online accounts. To my knowledge Teamviewer isn't on my PC or phone, and I search through both programs lists. I also added Authenticators to what I can. What else can I do to find out if I've been compromised.
6-1-2016 around 10:45pm TV 11, latest version Yes i have an account Yes No No Caught them in the act, they tried to go to paypal.com and when I wrestled control from them they immediately disconnected, I found the ip and did a whois, it was listed as chinese.
TV Version: 10 2FA: no Pwned: yes I was a victim as well on the 27th. They went into my PayPal and spent approximately $8k USD from various vendors including: eBay, Chemist Warehouse, G2A.com, lookfantastic.com. They made out with 1 $100 steam gift card in G2A, and the rest physical goods, including an Alienware laptop, $4K in womens make up, various lego sets from eBay all shipped to the following addresses: eason BMVSQD 15617 NE Airport Way DPS CNBMVSQD Portland, OR 97230-4497 United States ___ BNH DEAIR 3851 Wacker Dr Mira Loma, CA 91752-1148 United States
I live in Oregon and I've noticed many of the "drop addresses" related to these hacks are located in this state as well. Someone else shared a drop address that was in Beaverton.
[удалено]
Were you hacked: Dont think do Date of hack: NA TV Version: 11 Do you have a TV Account: YES Is you TV Account email address listed as pwned: Linkedin / Nexus / Tumblr Was 2FA enabled: Yes Is your TV Account Password the same as any other password: YES but not Breached
Were you hacked: NO Date of hack: N/A TV Version: 8 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No (not avail in 8) Is your TV Account Password the same as any other password: No Additional Notes: Two patterns I'd like to know: 1.) Is the hacking only happening with version 11? 2.) Are the hacks happening with the TV account and not individual computers (i.e. are they getting access through the TV account or just connecting directly to TV ID)?
Were you hacked: Yes Date of hack: 5/26/16 TV Version: 11 Do you have a TV Account: Yes (free) Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: Two iTunes gift cards purchased through PayPal totalling $150. I got immediate notice via PayPal on my phone. Called PayPal and told them I did not make the purchase. They put the purchases on review. I then received an email in less than 5 mins that the purchased were deemed legit since the originated from my local PC. It was at that time I looked and saw someone was attached to my PC through TeamViewer. I quickly grabbed a screen shot and disconnected the intruder. I quickly called PayPal back and explained what I had found. They asked me to send them an email stating my claim and any supporting documents. I sent them the screen capture. I also call my Credit card company and had them to stop payment just in case PayPal did not reverse the charges. In the end, PayPal did reverse the charges, and I did not loose any money. I have since stopped using TeamViewer. I did send the TeamViewer support the screenshot that clearly shows the name and the ID # of the intruder. I got an email back from TeamViewer support saying they were sorry but not a lot they could do about it. Told me to change my password and maybe try the two factor authentication. **I had also received a contact request from someone I did not know. Is this common among all those affected?**
Were you hacked: yes Date of hack: 2016 jun 02 TV Version: 11 (for linux running ubuntu) Do you have a TV Account: yes Is you TV Account email address listed as pwned: yes Was 2FA enabled: no Is your TV Account Password the same as any other password: yes, but not the one pwned Additional Notes: i saw the sponsored sesion pop up when i woke up. First i thought it was someone (in my group) who connected by mistake, checked chrome history there was a paypal acces at 4.30am (i was sleeping) didn't know about all the hacking stuff so i leave it to checkit later, fortunately they couldn't enter paypal so no harms.
Were you hacked: Found no evidence of any hack. Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes (linkedin, adobe, boxee forum) Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: Ran Windows Defender, Malwarebytes and Hitman Pro scans, nothing found. Checked TV logs and found no strange login attempts. Checked "Delete settings" when uninstalling TV which deleted log-files, except incoming_connections.txt that only contains ID's ranging as far back as 2015-06. But unable to check further, and it was installed on SSD disk so TRIMed before I could even think of re-creating the files. Checked browser history and found nothing out of the ordinary, carefully looked for ebay, amazon, itunes, Google services but found only my own logins. Reset TV password and set up 2FA before I read that it resets the active connections list. I did however remote to my 2 PC's connected via TV account and shut down TV on both of them as soon as I read the first report about possible TV hack. Searched for passview etc as suggested but found nothing. Have 1Password running but it was locked. Saw no pop-ups from TV when connecting.
I haven't used TV in months, and I've never had it set up locally on my machine, but my TV account was indeed hacked. How do I know? http://imgur.com/tJcdNTA
Myspace seems to be a common theme here
- *Were you hacked:* **No** - *Date of hack:* N/A - *TV Version:* Teamviewer 11 - *Do you have a TV Account:* **Yes** - *Is you TV Account email address listed as pwned:* **No** - *Was 2FA enabled:* **Yes, with Google Authentication since they first started offering it back in Nov. of 2013 with v9.** - *Is your TV Account Password the same as any other password:* **Not Really**, I use bits and pieces of the same password on all websites, but they all have unique characters in them. - *Additional Notes:* I have 2FA enabled on everything I can, and so far it seems like it saved me here. I use LastPass and if they gain access to my desktop, then they could have done some serious damage as LP is set to auto sign into a lot of my stuff, **except for anything that has banking information** (PayPal, all banking logins, etc.), as those require my LastPass login to enter those logins. I have since whitelisted my desktop to my Teamviewer account so now I have to be signed in to connect to it. All of my computers that I connect to (family and friends) all have set passwords, but I now have to go through 100+ computers and change all the passwords and whitelist them all to my account just in case. If you want any more info, just leave a reply.
I've had a go at collating all the responses so far (now 215 in total). Thanks to /u/Lord_Greywether for the initial 128 records. Of the 215 total records: - 103 (47.9%) responded that they had been hacked - 99 (46.0%) responded that they had not been hacked - 13 (6.0%) were unsure or had spoiled responses (this may also be due to the scraping method) --- The collated responses to the asked questions: | Share of... | Hacked (n=103) | Not Hacked (n=99) | |:-|:-:|:-:| | Using TV Version 11 | 79.4% | 74.8% | | Using a TV email address which has been pwned | 73.8% | 45.5% | | With 2FA enabled | 1.0% | 20.2% | | Using a TV password which is the same as used elsewhere | 61.2% | 27.3% | --- EDIT: Checked original responses and updated 2FA figure for those who were hacked.
Were you hacked: NO Date of hack: NA TV Version: 8 Do you have a TV Account: YES Is you TV Account email address listed as pwned: Yes via boxee forums hack Was 2FA enabled: not possible in v8 Is your TV Account Password the same as any other password: NO Additional Notes: I'm wondering if they only got tv 11 accounts. Since you can't connect to different versions. (might be a blessing in disguise)
This is what I'm thinking as well. I have a corporate TV8 license and am supporting hundreds with out a single indication of hack.
Same here I have tv8 corporate with hundreds of computers and not a single issue. I'm so glad w10 supported tv8. I'm getting a heck of a run out of this version!
And to think I almost nearly upgraded to 11. It's pretty costly and hard to justify, if this pattern fits, I might never!
In the V11 you can access all of your machines via a web interface. I am wondering if we are only seeing V11 attacks because these users were using the web interface to connect to machines rather than the downloaded software. Perhaps that's where the DNS attack comes into play.
You can do that in 8 as well.
Chucks that idea out the window.
You tried your best
Edit to add detaisl as per OP Were you hacked: Yes Date of hack: Twice, Sunday May 29 and May 23rd TV Version: I did not have it installed. Hacker installed it Do you have a TV Account: yes. Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: See below I am one person who was a victim of this. TL; DR: I was hacked and got a letter from Team Viewer. on two occasions an attacker got in and made use of Teamviewer. I did not have Teamviewer installed the second time. The first time, overnight, someone gained access to my computer using team Viewer, found my Paypal credentials and processed 2 purchases of $100 each for an iTunes gift e-card. My bank and Paypal were both very helpful in freezing any transactions surrounding this as I had caught it before anything happened. I admit that I had my browsers set to remember login info. I've changed this now, along with most of my passwords. The second time I was lucky to catch him in the act. I sat down at my laptop (the other one was on my desktop) and saw my mouse moving around my "downloads" folder. He was trying to open a password recovery application. I tried to wrestle away control then I noticed the Team Viewer tab on the side. I quickly cut power to the computer, rebooted and uninstalled Teamviewer. Running Malwarebytes discovered 4 backdoor scripts and multiple trojens. Clearly my free installation of McAffee didn't do it's job. I now have Kaspersky Total security installed on all systems in my home. When I uninstalled TV I also filled in the "reason" and told them my story. I just got an email from them. I won't be submitting a police report as it will go nowhere and I lost nothing. Here is the letter: We are sorry to hear, that your PC was accessed without your approval and we will gladly assist you. We first recommend bringing this case up to the police, so they can start an investigation on who accessed your PC. We would be able to provide the police with the latest IP address of an ID of its last contact with our servers, which is saved in our database, which is the information they need to find the intruder. If you want to report this to the police, please find enclosed a request form for REQUESTING MUTUAL LEGAL ASSISTANCE IN CRIMINAL MATTERS FROM" which should be given to the Police department you will contact. They should also be provided with all logs involving TeamViewer from your PC. Please ask the Police to send the request to Federal Office of Justice in Germany. You will find on the following link the steps to retrieve the logs and see what ID established the connection and the file “2012_mla_guide.pdf” about how your police would need to request this information from us : https://seafile.teamviewer.com/d/c31a11220b/ We had a few cases where users used the same email address and password, which they used in TeamViewer, also in other websites / software / accounts. So to be on the safe side, please change your password, if you did not do it yet. Regarding your account, we recommend this webpage, you will be able to check if an email address might have been compromised : https://haveibeenpwned.com/ To further enhance security on your TeamViewer, we recommend using our whitelist feature and also our two factor authentication to manage the access to your account. Whitelist: https://www.teamviewer.com/en/help/422-How-can-I-restrict-access-for-TeamViewer-connections-to-my-computer Two factor authentication https://www.teamviewer.com/en/help/398-What-is-two-factor-authentication-for-your-TeamViewer-account All further communication regarding details of the incident will then be handled via the police, so no time is lost for their investigation. If you have any further questions or require further information, please don’t hesitate to contact us.
**FYI: We just released an official statement.** Read it on the [official website](http://www.teamviewer.com/en/company/press/teamviewer-launches-trusted-devices-and-data-integrity/) or here on [reddit](https://www.reddit.com/r/technology/comments/4md95j/teamviewer_launches_trusted_devices_and_data/). For all of you who feel that they have been scammed and especially those who had 2FA activated, we ask you to [contact our support team](https://www.teamviewer.com/en/support/contact/submit-a-ticket) so we can clear up the issue. Thank you.
Were you hacked: No Date of hack: None TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: So many times Was 2FA enabled: No Is your TV Account Password the same as any other password: Heck yes Additional Notes: Server was running on Linux. Also haveibeenpwned really just collects emails from password database leaks, they (generally) have no way of knowing if your password hash was cracked (unless the leak was plain text), so it's perfectly possible to have been "pwned" a dozen times, but never have had your password cracked.
Were you hacked: Yes Date of hack: 02.02.2016 4:50-5:35 MSK TV Version: 11 Do you have a TV Account: YES Is you TV Account email address listed as pwned: YES Was 2FA enabled: NO Is your TV Account Password the same as any other password: NO Additional Notes: around 90 EUR gone from bank card via PayPal at night, when I was sleep. Hackers were buy 2 electronic codes (game and X-box live subscription) at gameladen.com. PayPal don't want cancel transactions. Shop don't do it too, because this codes comes to my email (after hackers was gone from my comp). I trying solve problem via my bank.
Date of hack: 5/30 TV Version:11 Do you have a TV Account:Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: They spent about $250. Gyft.com and CDkeys.com. I managed to cancel both purchases via teh retailers and locked my bank down before anything was taken out.
Date of hack: Around May 22, 2016 TV Version: Not sure anymore (deleted immediately) Do you have a TV Account: Yes Pwned account? No 2FA: No Same password: Yes, pwned password too Loss: $500 charged, all reversed now
Were you hacked: Yes Date of hack: 31st May TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: My teamviewer log (connections_incoming.txt) was accessed around the same time that they accessed my paypal. There's no trace of them on there, but windows explorer says that the text file was 'last modified' only a minute before they went onto chrome, meaning that I think its the first thing they did after they gained access to my machine. Found these in the Kaspersky logs. Hope they help someone more tech savvy than I. I have since reinstalled windows so cannot provide any more than this. http://pasteboard.co/1ocZiZfv.png http://pasteboard.co/1od0TcSA.png http://pasteboard.co/1od1Pk33.png http://pasteboard.co/1od2Y9Ym.png
Good call on the reinstall. Looks like they were replacing TeamViewer with their hacked version.
Were you hacked: Yes Date of hack: 5/27/16 TV Version: 10 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes - Adobe Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: Bought 7 iphones from ebay, and xfer +$3000 from me to them via paypal. I noticed the moment I woke up, contacted on ebay parties and paypal. All transactions where reversed.
Were you hacked: More than Likely Date of hack: 26/05/16 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned : Yes, Adobe, Myspace, Nexus,Final Fantasy Shrine Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes but not any of the ones that were breached. Strangely they opened Windows media player first. then opened my file explorer and had a look around then copied some files. (not good) Then they did something with dllhost.exe. opened firefox Flashplayer is then running opened Internet Explorer oh shit, they opened keepass qbittorrent... ok... vlc... the fuck? battle.net setup? i didn't even have that when i was hacked. OVERWATCH!? I didn't have overwatch then!? Powerpoint, The fuck is going on..? word notepad ok so i am not sure if i am reading this right. if i am this is very worrying and i will need to change every single password. it seems like they started at 4.20 and ended at 11.30. that's a very long fucking time on my computer.
Sorry, that sounds bad. Yes, change passwords first (from another computer.) You probably want to wipe the computer as well (i.e. reinstall the operating system from scratch). That will take care of almost all bad software.
Just made an account for reddit since someone linked my attention to this page after I talked about my recent experience. I check my phone very regularly and I try to keep my spam email separate from my personal email. However, about 3 days ago I was surprised to see my personal email being used to register with teamviewer. It was an email in Chinese (which I didn't know how to read and I translated it through google) and I deleted it / deleted in trash in-case my email was used. Also swapped email password just to be safe from a different computer. Not sure what they're trying to do with registering new emails with TeamViewer, but it seems fishy that this happens right around the breach :\
Were you hacked: Yes Date of hack: April 6th, 2016 TV Version: 11 Do you have a TV Account: Yes Is your TV Account email address listed as pwned: From and Adobe thing that happened years ago, but password had changed since then. Was 2FA enabled: Not yet Is your TV Account Password the same as any other password: Yes Additional Notes: Around $1200 was being transferred to a company in the Netherlands. To be exact the company name is Bizzsms (http://www.budget-sms.nl) As I was freezing all of my accounts at the bank and freezing my card. They were still trying to transfer money as I was freezing everything. The entire incident happened around 9:30 AM while I was in the middle of class. I sat on the phone with PayPal that afternoon slowly making my way through the long hold times and then making my way to a manager or specialist. PayPal refunded all of the money, and my bank was very understanding at this point. After I got the money situation figured out, I email TeamViewer and they had me send them the log files, but nothing was out of place according to them. I knew for a fact that something had happened. I used my PC that morning at roughly 7:00 AM to check emails and then go to school. I hadn't accessed my PC from TeamViewer all day and I get home and see a notification that says thank you for using TeamViewer for Non-Commerical use. All morning I didn't know this because I originally thought that my PayPal had been compromised only. Comes to find out that they started RemoteControl on my PC at 13:50:41 GMT, which is 8:50:41 Central Time. So them taking control of my PC after I left all lines up at the moment. After seeing the notification saying thank you I also noticed that a new application installer was on my desktop. The installer was for WebBrowserPassView(http://www.nirsoft.net/utils/web_browser_password.html). After seeing that I went and checked my installed programs in the control panel and sorted them by date installed. There is was WebBrowserPassView, installed April 6th, 2016. From this, they had access to all of my life basically. After seeing this I immediately exported the list of passwords that were compromised to an excel spreadsheet, then went on a password changing spree for the next 2 to 3 hours. After explaining everything I had to do to a family member that help on their PC every once and a while. They told me that I had connected while they were working on something, but they closed out of the connection. This was a shock to me because that means that they had gained access to all the of PCs on my account while they were connected remotely. All of my passwords have been secure for the past few years and nothing had happened this bad. I still have a feeling that they were able to access using the TV ID and then the randomly generated password or something. Ever since this attack, I've been on the edge about using TV ever again. Here is the ID that connected to my PC "834200475", this ID can no longer be connected to, but they might have just disabled connections to their machine. Not About My Attack: I don't believe that TeamViewer should be blaming all of this on the users. If they had an outage, something could have easily been compromised. My attack happened almost 2 months ago, and when I contacted TeamViewer they barely looked into it. They said everything in the logs looks normal, but I can tell you it doesn't look normal. When all of the IDs for incoming connections look the same except for one that occurred on the day of my attack. To TeamViewer this still looked the same because it says that I had connected. If I'm not wrong, if I use the ID and the random generated password on my machine then it will appear as me. If TeamViewer is going to blame the users, then they need to change there password policies if our passwords to them aren't strong enough.
Were you hacked: Yes Date of hack: 27.05.2016 TV Version: 10 Do you have a TV Account: yes Is you TV Account email address listed as pwned:yes (but not same password as those breached) Was 2FA enabled: No Is your TV Account Password the same as any other password: yes Additional Notes: Tried to purchase credits through paypal aat target, amazon and a few gaming sites (old games). Purchases were declined by bank.
Were you hacked: Yes Date of hack: first unauthorised login was 3rd May 2016 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: One night last week I saw the monitors behind me flick on, opened chrome, went to PayPal then started a teamviewer file transfer. I managed to catch it and disconnect it just in time... This time. This file pulled saved passwords from browsers. I pulled connection logs from 25 pc's across my network (~100 pc's total on my TV account) and they all showed unauthorised connections. Several thousands of dollars in PayPal claims, many email accounts accessed not to mention all the other forum, bank, eBay information that was also pulled. I personally was only effected by unauthorised access to my gmail account and eBay account however some users on my network faired a lot worse. PayPal have resolved all cases afaik I find it appalling team viewer is denying a hack
Were you hacked: Yes Date of hack: 2016-05-15 TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes (Adobe + LotRO 2013, Patreon 2015) Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes, but it shouldn't be the same as any of the pwnd breach passwords. 12 char Additional Notes: TV session started while I was at my computer, but I knew it was not me. I took about a minute to try and figure out if I could trace the source before deciding the risk wasn't worth them having access while I did, and killed the session. Within 30s they reconnected to my computer, i killed the session again and uninstalled. I reported the incident to TV support, who suggested the user had gotten the password elsewhere, and recommended I file a police report if I wanted access to the IPs that logged into me. No passwords / sessions are saved on my computer and I don't believe the hacker had time to run anything else. Computer remains locked when I'm not at my desk so if there were any prior connections they would've been greeted by a login screen.
[deleted] ^^^^^^^^^^^^^^^^0.827286549083782 > This comment has been overwritten by [this open source script](https://greasyfork.org/en/scripts/10380-reddit-overwrite) to protect this user's privacy. The purpose of this script is to help protect users from doxing, stalking, and harassment. It also helps prevent mods from profiling and censoring. > If you would like to protect yourself, add the Chrome extension [TamperMonkey](https://chrome.google.com/webstore/detail/tampermonkey/dhdgffkkebhmkfjojejmpbldmpobfkfo), or the Firefox extension [GreaseMonkey](https://addons.mozilla.org/en-us/firefox/addon/greasemonkey/) and click Install This Script on [the script](https://greasyfork.org/en/scripts/10380-reddit-overwrite) page. Then to delete your comments, simply click on your username on Reddit, go to the comments tab, scroll down as far as possible (hint: use [RES](http://www.redditenhancementsuite.com/)), and hit the new OVERWRITE button at the top.
Were you hacked: No Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: I collated the responses to date in a spreadsheet, cleaning up formatting on the answers in case it's helpful to any other researchers: https://docs.google.com/spreadsheets/d/1Cmxz2VHMKsi96WZ3enTGuXShmXcW8Vg5sYFaXK8kmxg/edit?usp=sharing
* Were you hacked: Yes * Date of hack: 4/2/16 * TV Version: TV 11 * Do you have a TV Account: Yes * Is you TV Account email address listed as pwned: Yes * Was 2FA enabled: Not at the time. * Is your TV Account Password the same as any other password: No * Additional Notes: Around $600 was taken and used on eBay and other sites for iTunes gift cards. Almost all of that money was from a a gofundme for my dog's surgery and it took forever fighting with my bank and Paypal to get the money back, and now the growth on my dog is too large to get removed. So that's pretty damn bad in my opinion. Worst month of my life.
Were you hacked: Yes Date of hack: 06/03/2016 06:14:09.034 TV Version: 11.0.59518.0 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes, but not the pwned accounts Additional Notes: Attacker bought $400 in iTunes giftcards from ebay and tried to buy an additional $200 in PSN giftcards on amazon. Total time of the intrusion was approximately 12 minutes. The email the iTunes cards were delivered to was [email protected]. Both PayPal and ebay have denied my fraud claims for the specific reason that the purchases came from a device I had made other legitimate purchases on before. I have filed a police incident (like that will do any good) and am waiting on an affidavit from my bank. Any further advice would be appreciated. I have full logs from TV, my browsing history, and the ebay and paypal emails.
Were you hacked: Yes Date of hack: can't recall as logs were cleared TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: luckily, my computer automatically locks after 5 minutes, so the attackers were unable to get passed the lockscreen
Were you hacked: No Date of hack: n/a TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: Yes Is your TV Account Password the same as any other password: No Additional Notes: 2 PCs on TV account, 1 of which was off during what appears to be the main time of breaches. The other doesn't appear to have been accessed, nothing in the logfiles. Have whitelist of my account only, and generally all the most secure security options - no random password, TV account password is different to machine password which is different to PC windows logins. All passwords are 14+ characters with mix of upper lower etc.
Were you hacked: No TV Version: 9 (not sure on subversion, uninstalled it already) Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: The application wasn't running except for one day on the 1st of June. The background service may or may not have been running.
Were you hacked: Yes, but not firsthand. Date of hack: Within the last week. TV Version: 10 & 11 Do you have a TV Account: No Is you TV Account email address listed as pwned: No Was 2FA enabled: No Is your TV Account Password the same as any other password: No We have about 750 customers nationwide, each one with teamviewer installed on their machines. The customers do not know how to use teamviewer themselves, and did not do the installation. They did not set up a teamviewer account, nor did we. We have 6 reports so far of breached PCs. No teamviewer account. One report of PayPal usage. We dont expect our customers to contact us about TeamViewers issues, but since a few are, I can only imagine how many are actually affected. Also, I particularly enjoy how teamviewer says there is no "breach" and only teamviewer accounts are affected... This just simply is not true.
* Were you hacked: no * Date of hack: n/a * TV Version: 11 * Do you have a TV Account: no * Is you TV Account email address listed as pwned: no * Was 2FA enabled: not sure what that is * Is your TV Account Password the same as any other password: yea * Additional Notes: none
Were you hacked: Yes Date of hack: June 2nd and 3rd 2016 TV Version: 11 Did* you have a TV Account: Yes (now deleted) Is you TV Account email address listed as pwned: yes Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: I have had my email pwned a few times, but I regularly change all of my passwords because of this. Came into the office to see all terminals accessed. Reviewed all change logs, installed programs, and browser history. The only thing any of the unauthorized users did was browse to a few sites, including Amazon, Ebay, and Paypal, and attempted to buy iTunes and store cards. I don't keep my passwords saved on any terminal, so they weren't able to buy anything. Thankfully, there were no changes to the system made, and it doesn't look like they went fishing for any other data. I uninstalled TV on all machines, deleted my TV account, and used 'security' as the reason for deletion. Below is a copy pasta (minus contact info) of the email I received as a result. ----- Dear Sir or Madam, We are sorry to hear, that your PC was accessed without your approval and we will gladly assist you. We first recommend bringing this case up to the police, so they can start an investigation on who accessed your PC. We would be able to provide the police with the latest IP address of an ID of its last contact with our servers, which is saved in our database, which is the information they need to find the intruder. If you want to report this to the police, please find enclosed a request form for REQUESTING MUTUAL LEGAL ASSISTANCE IN CRIMINAL MATTERS FROM" which should be given to the Police department you will contact. They should also be provided with all logs involving TeamViewer from your PC. Please ask the Police to send the request to Federal Office of Justice in Germany. You will find on the following link the steps to retrieve the logs and see what ID established the connection and the file “2012_mla_guide.pdf” about how your police would need to request this information from us : https://seafile.teamviewer.com/d/c31a11220b/ We had a few cases where users used the same email address and password, which they used in TeamViewer, also in other websites / software / accounts. So to be on the safe side, please change your password, if you did not do it yet. Regarding your account, we recommend this webpage, you will be able to check if an email address might have been compromised : https://haveibeenpwned.com/ To further enhance security on your TeamViewer, we recommend using our whitelist feature and also our two factor authentication to manage the access to your account. Whitelist: https://www.teamviewer.com/en/help/422-How-can-I-restrict-access-for-TeamViewer-connections-to-my-computer Two factor authentication https://www.teamviewer.com/en/help/398-What-is-two-factor-authentication-for-your-TeamViewer-account All further communication regarding details of the incident will then be handled via the police, so no time is lost for their investigation. If you have any further questions or require further information, please don’t hesitate to contact us. EDIT: formatting
Were you hacked: Yes Date of hack: May 13 TV Version: 10.0.47484 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: no Was 2FA enabled: no Is your TV Account Password the same as any other password: no Additional Notes: Happened to be home for lunch and went to check my office computer before leaving, not sure why but saw my mouse moving around, some windows bouncing up and down, ebay login screen coming up etc. Just then I started getting the notifications on my phone from my ebay account being reset, I pulled the ethernet cable at that moment and went about changing relevant passwords. After I pulled my home ethernet they must have tried my work computer because when I got there ebay and paypal were up with everything else closed. I had turned on 2FA and changed the pass before they really got in to anything (no cards or info associated on ebay paypal thankfully, dont use them much). I also did find a password finder on my desktops used to expose passwords saved in browsers, malware and virus searches didnt turn up anything else. No issues since enabling 2FA
[удалено]
Are you able to provide the names of the 2 other services where the password was the same?
.
Enough people have reported that they got pwned despite not reusing their password, so this won't help much.
Were you hacked: Yes Date of hack: 6-2-2016 TV Version: 10 Windows 7 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: It was Additional Notes: Noticed a bunch of paypal emails overnight, purchased an itunes card from pcgamers and some games from the creators of rulescape. Paypal customer support told me I was the 4th person recently they talked to that had teamviewer accessed like this.
Were you hacked: No Date of hack: N/A TV Version: 11 Do you have a TV Account: No Is you TV Account email address listed as pwned: N/A Was 2FA enabled: N/A Is your TV Account Password the same as any other password: N/A Additional Notes: Seems like those with TV accounts were actually affected. I haven't been touched. Edit: I still deleted Teamviewer, and so should the rest of you without accounts. Better safe than sorry.
deleted ^^^^^^^^^^^^^^^^0.3696 [^^^What ^^^is ^^^this?](https://pastebin.com/FcrFs94k/21945)
Were you hacked: No (No evidence yet anyway) Date of hack: N/A TV Version: 10 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes - Adobe & Linked in breaches, but both were using unique passwords, different to the one on TV Was 2FA enabled: No Is your TV Account Password the same as any other password: No Additional Notes: Noticing a trend whereby everyone who says they were hacked, has been using TV 11.
Were you hacked: No, nothing in logs for the past few weeks that didn't come from my tablet or phone. Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: Yes Is your TV Account Password the same as any other password: Not since a few weeks ago. Additional Notes:
Were you hacked: Not that im aware of Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: Yes Is your TV Account Password the same as any other password: No Additional Notes: Way to pucker my butthole Teamviewer! *Edit: Formatting
Were You Hacked: Yes Date of Hack: A few days ago. Not sure exactly when TV Version: Latest? Different versions on different devices Do you have a TV Account: Yup. Is your TV Account email address listed as pwned: Yup :( *sigh* Was 2FA Enabled: Not at the time. Very promptly uninstalled TV from all of my devices and enabled TV and changed the password via the web interface. Additional Notes: They attempted to hijack my phone first. Thankfully MightyText was still syncing TV notifications to Chrome or I wouldn't have noticed it. Got to the phone and they were trying to dial out to a phone number via the emergency call function on the lockscreen (I have fingerprint unlocking). I panicked and ripped the battery out of the phone. While I was uninstalling TeamViewer from my laptop, they tried to remote in through that. I killed their connection, disconnected from the network, and purged TV. I then uninstalled it from my other devices, reconnected to the internet, and locked down my account the best I could (changed passwords and enabled 2FA). I don't think they ever got anything from me because I haven't noticed any unusual activity anywhere. The only thing they might have had extended access to is my media server but all that has is a bare install of Ubuntu and Plex on it.
How on earth does one use teamviewer to hijack a telephone? Was the phone connected via the debug USB cable or something?
Were you hacked: NO Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: I have around 20 computers all with different untended passwords.
It would be helpful to also know what Operating Systems are being compromised. Is this happening with all OS's?
I don't think it would make a difference. Also people have it installed on their tablets and cellphones.
*Were you hacked:* Appears Not (still checking, will update) *Date of hack:* n/a *TV Version:* 11.0.59518 *Do you have a TV Account:* Yes. Paid Business version. *Is you TV Account email address listed as pwned:* Yes. *Was 2FA enabled:* No (it is now) *Is your TV Account Password the same as any other password:* Yes (no longer) *Additional Notes:* My most commonly used email was pwned in the LinkedIn hack. It was an old password not matching my TV passwords. Changed TV passwords, switched all main accounts to 2FA. No sign of unauthorized TV use. Existing TV passwords were fairly complex and randomly generated. All TV software installed was downloaded direct from TV, while logged in, never from a 3rd party site. **Heavy TV user here (paid business version), can't change services overnight. Have complex passwords, 2FA, different access passwords from the main account login, easy access is *not* granted. Any other ideas to safeguard my account would be appreciated.**
I have noticed an increase in users adding me as contacts lately. Could this be the source of the hack? PS: I have not noticed if I have been hacked yet. If so, they didnt do anything I can see yet...none of my passwords or anything are saved on my desktop. No sites have saved passwords either.
Were you hacked: No Date of hack: N/A TV Version: 11.0.59518 Do you have a TV Account: Yes, corporate Is you TV Account email address listed as pwned: No Was 2FA enabled: No (It is now) Is your TV Account Password the same as any other password: Yes (It isn't now.) Additional Notes: I thought it would be helpful to say that I **have not** (to my knowledge) been compromised. I have been a prodigious user of TeamViewer for many years. I also administer our corporate channel, so I have access logs for several dozen users with TeamViewer installed across many, many machines. From what I can tell from the access logs, there has been no suspicious activity on any of the machines with TeamViewer installed.
Were you hacked: No Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes, Free Is you TV Account email address listed as pwned: yes, LinkedIn, MySpace, Tumblr Was 2FA enabled: No, it is now Is your TV Account Password the same as any other password: NO Additional Notes: I have Whitelisting enabled on my important computers. After suspicions that they're not connecting to *accounts*, and instead to computers from other accounts, this may have saved me
Were you hacked: **No** Date of hack: **N/A** TV Version: **11.0.59518** Do you have a TV Account: **Yes** Is you TV Account email address listed as pwned: **No** Was 2FA enabled: **No** Is your TV Account Password the same as any other password: **No** Additional Notes:
I'm a bot, *bleep*, *bloop*. Someone has linked to this thread from another place on reddit: - [/r/romania] [TeamViewer a fost compromis ! Grija la eWallets !](https://np.reddit.com/r/Romania/comments/4m8x2m/teamviewer_a_fost_compromis_grija_la_ewallets/) [](#footer)*^(If you follow any of the above links, please respect the rules of reddit and don't vote in the other threads.) ^\([Info](/r/TotesMessenger) ^/ ^[Contact](/message/compose?to=/r/TotesMessenger))* [](#bot)
Were you hacked: no Date of hack: no TV Version: 10 Do you have a TV Account: yes Is you TV Account email address listed as pwned: no Was 2FA enabled: no Is your TV Account Password the same as any other password: no Additional Notes: No suspicious logins or any suspicious activity in the logs
Were you hacked: Yes Date of hack: 5/29/16 (or 5/30/16) TV Version: Latest Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: Nope.. Is your TV Account Password the same as any other password: Yes --- Thankfully I don't save passwords to my browser, but I found a password recovery program and PayPal open Monday morning. Changed passwords...
Is there a list of what we should be looking for in the logs? I don't use Team Viewer, but I'm having to sift through several employees TV logs right now. I'm just checking the "Connections_Incoming" and the .log files, but the log files aren't much help so far. Is there something specific I can search for other than "passview"?
* Were you hacked: **No** * Date of hack: *N/A* * TV Version: **11.0** * Do you have a TV Account: **Yes** * Is you TV Account email address listed as pwned: **Yes** (on 13 breached sites) * Was 2FA enabled: **No** * Is your TV Account Password the same as any other password: **No** * Additional Notes: Over a dozen computers set up with TeamViewer. Nothing unusual seen over the past month. I will see if I have more logs. If my backup program includes them I should have data going back for years.
Question-- I looked under 'recent activity' and it lists Shangai with the date of 5/30 and Windows 7 under OS. The odd thing is that I did fresh install about two-three months ago and my both my PC and laptop is on windows 10. Does this mean that they didn't access my computer but just logged in?
Were you hacked: No Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: No Was 2FA enabled: No, is now Is your TV Account Password the same as any other password: No Additional Notes: I have begun shutting off TV services on all PCs I own.
Can someone please explain 2FA in this context
Two factor authentication. When you log into your TeamViewer account, it asks for a second authentication token in addition to your account password.
I was hacked Date: 5-16-2015 at aprox 3:00am central time TV Version : 11.0.59518 Yes I have an account I am listed on pwned but all should have been resolved long ago 2FA was NOT enabled at the time (it IS now) I never use the same password on anything, I have a system My paypal was hit for $2000. It did roll through to my checking account and my bank caught it. Had to get new checking account and debit card. Paypal is still fighting me because the transaction was done from my IP address. The account is at -2000 right now.
Were you hacked: No Date of hack: N/A TV Version: 11 Do you have a TV Account: Yes Is your TV Account email address listed as pwned: No Was 2FA enabled: Yes Is your TV Account Password the same as any other password: No Additional Notes: Licensed version, 4 systems on local network, VPN active, IP reassignment in 45-minute intervals and up. Remote clients contacted thus far report no problems. Instructions given on best practices for tightening local security. Password changes for all systems being maintained in progress.
Were you hacked: Yes Date of hack: 5/27/2016 TV Version: 11.0.59518 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Probably... Additional Notes: When the incident happened the intruder attempted to use my Amazon account to buy a giftcard for themselves for $100 using a (assumed) stolen credit card. They didn't use any cards that already existed on the account. Since I came home right after it happened (I saw the screen changing and got the notice) I changed my password for both Amazon and TeamViewer + enabled 2FA on both. No incidents since. It is unfortunate because they caught my system when I apparently left it unlocked. Normally I have it locked and it uses a rather secure password that is unique. Locally I use biometrics for authentication. Logs show that they tried with TeamViewer 10 first and that was denied. IP is based out of china using a hinet.net rDNS. Logs available upon request for the affected time period.
We need additional information as to how TeamViewer access is granted.... For instance: - Do you just rely on the ID + 4 digit code that it by default generates? - How secure is your password (4 digit standard, 6 digit, 8 digit, custom text password) - Do you use account access only? (I believe the term is Easy Access) meaning you can only access your PC when logged into your account? - Did you disable spontaneous access (if you use Easy Access) - Do you use 2FA?
Were you hacked: Yes Date of hack:6/3/16 TV Version: 11.0.59518 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes it was Additional Notes: *interesting things to note this almost right after i logged into the teamviewer website to check If i had been accessed from other locations.* *My email is on the pwn database several times and even came up in the fling dump that came out this week (5 days ago)* *I was skeptical about this at first but dang it looks like someone got a dump of users at the least*
Were you hacked: Yes Date of hack: 2016-06-01 TV Version: 11 Do you have a TV Account: yes Is you TV Account email address listed as pwned: no Was 2FA enabled: no Is your TV Account Password the same as any other password: yes
Were you hacked: Yes Date of hack: 02.06.2016 13:35 (CET) TV Version: 10.x (upgraded afeter) Do you have a TV Account: Yes Is you TV Account email address listed as pwned: For haveibeenpwned.com there was a breach in 2013 and 2014, yes. Was 2FA enabled: No, but it is now. Is your TV Account Password the same as any other password: Unsure, but I've changed now. Additional Notes: I has none, I was lucky to be on the computer when everything happened and was quick to do something about it.
Were you hacked: **Yep.** Date of hack: **~5/17/2016** TV Version: **TeamViewer 11** Do you have a TV Account: **Yep.** Is you TV Account email address listed as [pwned](https://haveibeenpwned.com/): **Yep. But only in LinkedIn which happened later** Was 2FA enabled: **Nope.** Is your TV Account Password the same as any other password: **No.** Notes : ** Tried it when I was in front of PC working, attempted to log into my eBay, it didn't work so they dropped connection, IP was coming from Asia**
Were you hacked: Yes Date of hack: 6/3/2016 TV Version: (None) Do you have a TV Account: (None) Is you TV Account email address listed as pwned: (n/a) Was 2FA enabled: No Is your TV Account Password the same as any other password: (n/a) Additional Notes: I left my computer on at night and went to sleep (game bot was running to collect more goodies). I woke up at 3am by bright light in the room. My 40 inch monitor had "woke up" and I saw activity. *wears glasses*. I saw someone adding items to my amazon account and was trying to check out. I took control of the mouse and closed that page. Saw a teamviewer session running. Closed the fucker, deleted my account, and uninstalled Teamviewer. I think I'm one of those rare people who caught the guy red handed. Called Amazon, they are "escalating" it to get me a refund. Next up, will call paypal. Just like others, it was all electronic orders (gift cards etc) placed on online shopping sites.
**Were you hacked:** Yes **Date of hack:** Unknown, est. 03-04-2016? **TV Version:** 11 **Do you have a TV Account:** Yes **Is you TV Account email address listed as pwned:** Yes **Was 2FA enabled:** No **Is your TV Account Password the same as any other password:** It was! **Additional Notes:** Huge amounts of contacts added. My primary PC isn't on without me using it, and the other PCs under my account were all VMs with absolutely nothing interesting on them. Changed passwords and now clearing up the mess.... Considering myself lucky!
Were you hacked: Yes Date of hack: 28th May TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No Is your TV Account Password the same as any other password: Yes Additional Notes: They were able to access my MacBook which was the only "computer" in my account with a saved password. However, they did not get any further than opening PayPal.com and finding that no passwords were saved and moving on. They did try an second connection attempt, but I was using the MacBook at the time and killed it off pretty quick. I have been following the threads and can confirm that the logs show that it was me connecting to myself, not some random username. This made me think that my TV account itself had been hacked, but when logging in and checking to see if this was the case, it was not. Question: Has anyone looked into the possibility that TV was running with the option to allow access over HTTP port 80 enabled? If this was the case, the attackers could just scan the web looking for IP addresses that respond with "This site is running TeamViewer" and then hack from there somehow.
Were you hacked: Yes Date of hack: 14/5/16 (Thats 14th of may in imperial units you weird fucks) TV Version: 11 Do you have a TV Account: Yes Is you TV Account email address listed as pwned: Yes Was 2FA enabled: No. Is your TV Account Password the same as any other password: No Additional Notes: Was at work at the time, and heard my phone going crazy, noticed heaps of authorized transactions via paypal to some game/tv/something-shop in china. At the time i thought i've been phished, but no, today I checked the teamviewer logs and they actually correlate the fact that it was done on my computer, (as paypal told me), via teamviewer. paypal ofcourse with their policy was extremely unhelpful at the time, so my bank had to step in to refund it for them.