GoToMyPC Requiring Users to Reset Passwords Following Attack

GoToMyPC, a remote access and desktop connection service offered by Citrix, is requiring users to reset their passwords following a recent attack.

On Sunday, the team at GoToMyPC issued a security update that provides some details into what happened:

“Unfortunately, the GoToMyPC service has been targeted by a very sophisticated password attack. To protect you, the security team recommended that we reset all customer passwords immediately. Effective immediately, you will be required to reset your GoToMyPC password before you can login again.”

The update doesn’t offer several important details regarding the attack, such as how many passwords were compromised.

Neither does it mention whether GoToMyPC was breached, which could mean the remote access and desktop connection service experienced a password reuse attack similar to the one that targeted the popular web-based code repository service GitHub earlier in June.

While hackers might have used the same type of technique in both the GoToMyPC and GitHub attacks, HelpNetSecurity‘s managing editor Zelijka Zorz feels users should be more concerned about the former than the latter:

“Compromised GoToMyPC accounts bring more immediate danger to users than compromised GitHub accounts, though, as the former would allow attackers to access the victims’ computer and all the information on it, including banking and personal information.”

GoToMyPC is urging users to practice good password hygiene when resetting their passwords. That includes selecting a password that is not dictionary-based, that exceeds a length of eight characters, that includes randomly inserted numbers and symbols, and that substitutes letters for numbers (such as “0” for “o” and “3” for “e”).

For added protection, users could also enable 2-step verification on their accounts, an optional feature which protects an account with an additional layer of security by sending a one-time verification code to a registered phone after each login attempt.

As of this writing, GoToMyPC is still investigating the attack.