GoToMyPC accounts hacked, all customer passwords reset

Remote access tool gets remotely accessed… by hackers.

GoToMyPC

Experiencing a problem logging into GoToMyPC? There’s a reason for that. Your password has been reset by Citrix, the company which runs GoToMyPC.com, after hackers reportedly attacked the service.

Here is part of GoToMyPC’s security advisory:

IMPORTANT SECURITY MESSAGE FROM THE GoToMYPC TEAM

Sign up to our free newsletter.
Security news, advice, and tips.

Dear Valued Customer,

Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack. To protect you, the security team recommended that we reset all customer passwords immediately.

Effective immediately, you will be required to reset your GoToMYPC password before you can login again.
To reset your password please use your regular GoToMYPC login link.

Recommendations for a strong password:

  • Don’t use a word from the dictionary
  • Select strong passwords that can’t easily be guessed with 8 or more characters
  • Make it Complex – Randomly add capital letters, punctuation or symbols
  • Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”.

It’s a shame in their recommendations GoToMyPC’s security team left out the most important one of all – don’t reuse your passwords in multiple places.

After all, it’s sensible that your GoToMyPC password has been changed – but you also need to ensure that you change your passwords on any site *other* than GoToMyPC if you were making the mistake of not using unique passwords.

It’s also a pity that the details are a little sketchy.

Has GoToMyPC suffered a data breach, with passwords nabbed from its servers by online criminals, or is it that attackers are using credentials stolen from other sites to gain access to GoToMyPC accounts?

Right now, GoToMyPC isn’t saying. Maybe it simply doesn’t know.

GoToMyPC is sensibly recommending customers enable two-step verification, which will mean any potential hackers will need more than your password alone to access your account.

The news of the GoToMyPC security breach comes soon after users of TeamViewer, another service for remote desktop access, claimed that their accounts had also been attacked – although the company has denied that it has suffered a security incident.

Hat-tip: Thanks to @PeterVogel for first bringing GoToMyPC’s security advisory to my attention.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "The AI Fix" and "Smashing Security" podcasts. Follow him on Bluesky, Mastodon, and Threads, or drop him an email.

9 comments on “GoToMyPC accounts hacked, all customer passwords reset”

  1. Peter Vogel

    As first posted here:

    https://plus.google.com/u/0/105201176373156907412/posts/FPb7ojTHU4p

  2. Bob

    Unfortunately organisations store the 2SV secrets in the same database (or close to) their password databases.

    Enabling 2SV will stop your (casual) unauthorised user but not somebody who has managed to breach a company's internal systems. It is for this reason I recommend activating 2SV.

    I like to remind people that a password is merely a method of authentication. If a company has suffered a breach then it's highly improbable that 2SV will offer any level of protection.

  3. Anders Dalen

    Usually "a very sophisticated password attack" is code for "We have really lousy security and some script kiddie hacked our site".

    1. Joey L · in reply to Anders Dalen

      I thought it was code for brute force or password re-use.

      1. Anders Dalen · in reply to Joey L

        Note that they are resetting ALL the passwords. This indicates that they have either been hacked or they just woke up with a really bad hangover and no clue to what has happened.

  4. graphicequaliser

    GoToMyPC's password database must have been designed from the ground up to be high-security, because of the nature of the control which it gives a logged-in user. If that can be made to spill its beans using a "sophisticated" attack, it is only a matter of time before the password manager databases also succumb to this "sophisticated" attack. It is time to introduce personal internet "tokens" which travel around with you – perhaps an implant in your right-hand with a bar-code on a microchip. The only way to hack your account is to extract the chip from your hand first!

  5. Jason White

    "Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”

    Whoever wrote this is woefully behind the times. Making passwords complex for humans and these simplistic substitutions do nothing to strengthen passwords. It's all about entropy, people.

  6. Steve

    I use LiteManager it is store all passwords on my local PC, without the threat of loss/reset them

  7. Glenn Dobson

    In case you did not see the follow up communication.

    Citrix takes the safety and security of its customers very seriously, and is aware of the password attack on GoToMyPC. Once Citrix determined the nature of the attack, it took immediate action to protect customers. Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users.

    At this time, the response includes a mandatory password reset for all GoToMyPC users. Citrix encourages customers to visit the GoToMyPC status page to learn about enabling two-step verification, and to use strong passwords in order to keep accounts as safe as possible. Further, there is no indication of compromise to any other Citrix product line.

    Frequently Asked Questions:

    Q: What happened?
    A: GoToMYPC (G2P) came under a password attack. Once we determined the nature of the attack, we took immediate action to protect our customers. Citrix can confirm the recent incident was a password re-use attack, where attackers used usernames and passwords leaked from other websites to access the accounts of GoToMyPC users.

    Q: Was GoToMyPC the only product impacted by the attack?
    A: Yes, GoToMyPC was the only product line effected. There is no indication any other product was impacted.

    Q: What did Citrix do?
    A: In order to protect our customers, we have set a mandatory password reset for all GoToMyPC users. We encourage our members to enable two-step verification, and to use strong passwords in order to keep their accounts as safe as possible.

    Q: What should I do if I am a GoToMyPC customer?
    A: To protect you, the GoToMYPC security team reset all customer passwords.

    Next Steps: .
    You will be required to reset your GoToMYPC password before you can login again.
    To reset your password please use your regular GoToMYPC login link.
    Recommendations for a strong password
    • Don’t use a word from the dictionary
    • Select strong passwords that can't easily be guessed with 8 or more characters
    • Make it Complex – Randomly add capital letters, punctuation or symbols
    • Substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”)
    • Don't use the same password in more than one place
    2-step Verification option
    We recommend everyone use the 2-step Verification option for GoToMyPC accounts. http://support.citrixonline.com/en_US/gotomypc/help_files/GTC070021?title=2-Step+Verification

    Q: Was any personal information compromised?
    A: Our initial assessment indicates that no sensitive customer data (such as credit card information) was exposed. We are continuing an in-depth forensic investigation and will share the results of this investigation as soon as feasible.

    Q: Where can we go find more information about the event?
    A: http://status.gotomypc.com

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.