Cyber Incident Victim: TeamViewer GmbH
Date:
Jun 2016
Location:
Germany
Summary
TeamViewer experienced a significant number of user account compromises, which the company attributed to credential reuse from unrelated third-party breaches, including LinkedIn and MySpace. Attackers exploited these credentials to gain remote access to victims' devices, enabling unauthorized financial transactions through linked PayPal and bank accounts. The company found no evidence of a breach within its own systems or a bypass of its two-factor authentication, though some users reported such incidents without providing requested log files for verification. Compromised accounts allowed attackers to control assigned devices unless additional access policies like whitelisting or secondary passwords were enabled. TeamViewer apologized for initially characterizing the incidents as resulting from user carelessness, clarifying the need for heightened security when using remote access tools.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 0 actors | Available to members | Available to members |
Description
In early June 2016, TeamViewer faced widespread reports of unauthorized account access impacting users globally. Over the preceding month, numerous individuals reported criminals exploiting their TeamViewer accounts to remotely access connected devices, leading to drained PayPal, banking, and e-commerce accounts. Critics speculated that TeamViewer's infrastructure had been breached, enabling mass account takeovers. On June 4, TeamViewer spokesperson Axel Schmidt confirmed the number of compromised accounts was "significant" but denied any breach of their systems. The company attributed the incidents exclusively to credential stuffing attacks leveraging passwords exposed in third-party breaches, specifically referencing the LinkedIn and MySpace megabreaches that collectively exposed over 642 million credentials. Schmidt emphasized that compromised accounts overwhelmingly reused these exposed credentials across multiple services and often employed weak passwords like pet names or family references. TeamViewer maintained that attackers gained initial access through these reused credentials rather than exploiting a vulnerability in their platform.
TeamViewer's investigation found no evidence of two-factor authentication (2FA) bypasses despite user claims, though the company acknowledged difficulties verifying these reports due to affected users not submitting required log files for analysis. The compromised accounts primarily involved TeamViewer's business and free user accounts, which allowed centralized management of multiple devices. Attackers who gained account access could control any assigned devices unless additional access passwords or whitelisting policies were enabled. TeamViewer reiterated recommendations for strong, unique passwords, password managers, device whitelists, and antivirus software to mitigate risks. The company apologized for earlier statements describing "careless use" by victims, clarifying that remote access tools inherently require heightened security precautions given their privileged system access. Financial theft occurred partly because users stored banking credentials in browsers, enabling intruders to extract them via installed tools during unauthorized sessions. TeamViewer noted the surge in incidents coincided temporally with the third-party breach disclosures but did not disclose exact victim counts beyond confirming a "significant" scope.