GoToMyPC remote desktop service resets all passwords in wake of attack

GoToMyPC, a remote computer administration service offered by Citrix, has forced a password reset for all customers in the wake of what they call a “very sophisticated password attack.”

“Effective immediately, you will be required to reset your GoToMyPC password before you can login again,” the company told customers via email on Sunday, and advised them to use their regular GoToMyPC login link to reset the password, or go through the “Forgot Password” link located under the GoToMyPC account login.

Users were asked not to choose the same password as before, to avoid using words that come up in a dictionary, to make it longer that 7 characters, and to make it complex.

Unfortunately, the company didn’t add one more crucial piece of advice: “Don’t use a password you’re already using for some other online account.”

They did, however, advise users to use the 2-step verification option to protect their accounts.

GoToMyPC didn’t say that they have suffered a breach, so it’s likely that password reuse is what led to this particular attack.

A few days ago an unknown attacker was spotted trying to break into a large number of GitHub accounts by trying out username/password combinations leaked from other online services, and it’s possible he moved on to targeting GoToMyPC, or some other attacker did.

Compromised GoToMyPC accounts bring more immediate danger to users than compromised GitHub accounts, though, as the former would allow attackers to access the victims’ computer and all the information on it, including banking and personal information.

As we’ve seen in the recent spate of TeamViewer account takeovers, this could end up with fraudulent purchases and emptied bank accounts.