GoToMyPC Suffers Major Password Reuse Attack

Citrix Systems is forcing all its GoToMyPC remote desktop access service customers to reset their passwords because of a “very sophisticated attack” that targeted the service over the weekend.

Citrix Systems is forcing all its GoToMyPC remote desktop access service customers to reset their passwords because of a “very sophisticated attack” that targeted the service over the weekend.

John Bennett, product line director for Citrix said the attack was a result of leaked passwords from other accounts used to crack open existing GoToMyPC accounts.

“Citrix can confirm the recent incident was a password reuse attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users,” Bennett told Threatpost in an email statement.

Impacted are an undisclosed number of consumer, pro and enterprise customers. Citrix posted a warning to its customers on its website Saturday alerting customers of the attack and instructing them to reset their passwords. On Monday, GoToMyPC customers logging into their accounts were informed their password was incorrect and forced to change it.

“At this time, the response includes a mandatory password reset for all GoToMyPC users,” Bennett wrote to Threatpost. He declined to share how many GoToMyPC accounts were part of the reuse attack or what constituted the “sophisticated” nature of the attacks.

GoToMyPC is just the latest company to force its users to reset their passwords. Over the last several weeks several firms including Twitter, Github, Tumbler, iMesh and LinkedIn also forced their customers to reset their passwords. Most notably TeamViewer, which offers a similar product to GoToMyPC, required its customers to reset their passwords after it said it detected a number of successful intrusions tied to stolen credentials.

“We suspect these password resets are tied to the over 500 million credential breaches we’ve seen this year alone,” said Orlando Scott-Cowley, cybersecurity strategist at email security firm Mimecast in an interview with Threatpost. In the past few weeks, account breaches have been reported by LinkedIn, Tumblr,, Fling and MySpace – bringing the total number of compromised accounts to more than 700 million.

“It’s a good bet that these massive stolen user credential databases are being crossed reference on the dark web,” he said. Each one of these stolen accounts might not be worth much alone, he said. But together many seemingly disparate user accounts can come together and create a complete user profile for hacking into high-value accounts, Scott-Cowley said.

Remote desktop accounts are considered a highly attractive to attackers because with a user name and password a hacker can gain direct access to a computer and bypass security software.

Experts at ThreatMetrix estimate that password reuse is a bad habit that 60 percent of internet users are guilty of. It’s common sense that users should not reuse passwords on multiple sites and should bolster password protection using tools such as two-factor authentication, said Patrick Wardle, director of research at Synack.

“It’s quite trivial for hackers to automate password attacks. Given a list of passwords (either from a dictionary) or, better yet, from an existing leak – hackers can easily write scripts that attempt to compromise accounts by guessing multiple passwords,” Wardle said.

Suggested articles

What the New OWASP Top 10 Changes Mean to You?

The OWASP top 10 list of critical security risks will have a big impact on how businesses address application security moving forward. The changes to the list will require businesses to reevaluate their application security posture holistically. Learn more about the most significant changes that have emerged and how businesses can address them.

API Shadow

Bring Your APIs Out of the Shadows to Protect Your Business

APIs are immensely more complex to secure. Shadow APIs—those unknown or forgotten API endpoints that escape the attention and protection of IT¬—present a real risk to your business. Learn how to identify shadow APIs and take control of them before attackers do.