I previously posted an article about the latest TeamViewer hack that has been spreading around the last few days. I myself have switched over to using AnyDesk for personal remote support (family, friends, etc) but I still had it on a few systems. I did check my logs and luckily none of my systems were accessed. However in the TeamViewer web console, I did see multiple sessions from China that were active in the last 30 days. I have since closed my TeamViewer account and notified all people that I know who use the service to uninstall it and switch to another provider.

Whether you were hacked or not please fill out this Google Form that one of the /r/TeamViewer mods put together: https://docs.google.com/forms/d/1E5U8iPWk_bLuRFnlpmGOYWY0yfCsBi9SPR3y5YhVefY/viewform

Accessing the Connection Log

If you want to see if your system was accessed (even if you uninstalled the program) you just need to check the TeamViewer directory. The default installation paths are below:

Log File Path

  • 32-Bit (x86) Systems: C:\Program Files\TeamViewer\Connections_incoming.txt
  • 64-Bit (x64) Systems: C:\Program Files (x86)\TeamViewer\Connections_incoming.txt

Here is the log file from one of my systems with the personal information blurred out for security reasons.

Connections_incoming.txt

Closing

  • If you have any logs that are NOT from you please save the log and report the information to TeamViewer and Post in the Reddit Thread here: https://www.reddit.com/r/teamviewer/comments/4m6omd/teamviewer_breach_masterthread_please_post_your/
  • If you need assistance checking your system for malware that the attackers could have placed on your system please call your preferred IT person or contact me through the site, I offer remote and onsite support.
  • Most importantly if your system has been accessed by someone else DO NOT USE THE SYSTEM! There have been multiple reports of keyloggers and other malicious software being installed from the attackers when they gained access to the system. I recommend doing a full OS installation and thoroughly going through any other drives/devices that have been connected to the PC.

TeamViewer continues to deny that they had a breach but there have been multiple users that have had proper passwords and even 2-factor authentication enabled at the time of the attack. Their system is flawed and cannot be trusted until they own up to what happened and post a 100% certain resolution to the breach.