Many people use GoToMyPC to get remote access to their home and work computers
Passwords for every GoToMyPC account are being reset following a “sophisticated” attack on the service.
Many people use GoToMyPC to obtain remote access to home and work computers via a web browser.
The attackers used login names and passwords found in other data breaches to get at GoToMyPC accounts.
The global password reset comes soon after a separate attack on another remote access system that also re-used passwords stolen elsewhere.
In a statement, GoToMyPC owner Citrix confirmed reports of the attack and said login credentials leaked from other sites had been used to get at accounts of its users.
In response, Citrix said it had done a “mandatory password reset” for all its users.
“We encourage our members to enable two-step verification, and to use strong passwords in order to keep their accounts as safe as possible,” it added. GoToMyPC software is available in consumer, pro and enterprise versions.
Early analysis suggested no sensitive data, such as credit card numbers, had been exposed. Citrix said the investigation was continuing and users would be told if more information had gone astray.
“We apologise for the frustration this issue is causing,” it said.
A status report on the GoToMyPC website that said the site was hard to reach suggested many people had been trying to change their password following news of the attack.
Earlier this month, many users of the TeamViewer remote access software reported they had been hit by attackers who used login credentials found in massive dumps of login data sold and shared online.
Hundreds of millions of user names and passwords have become available in 2016 and many cyber-thieves have combed through these long lists to see if the credentials listed have been re-used on other services.
“Re-using passwords at multiple sites is a bad idea to begin with, but re-using your GoToMyPC remote administrator password at other sites seems like an exceptionally lousy idea,” said security expert Brian Krebs in a blogpost analysing the attack.