AnyDesk Revokes Passwords After Hacker Attack; Threat Actors Advertise Stolen Data

Remote desktop software maker AnyDesk has issued a notice informing users that, due to a security breach, current login credentials will no longer work. Threat actors are reportedly already selling stolen data on hacking forums.

Founded in 2014 in Stuttgart, Germany, AnyDesk has subsidiaries in the US, mainland China and Hong Kong, as well as an Innovation Hub in the transcontinental territory of Georgia.

The company has issued a notice acknowledging a security breach on its production systems, which prompted its IT staff to revoke access to the AnyDesk web portal using current login credentials.

“Following indications of an incident on some of our systems, we conducted a security audit and found evidence of compromised production systems,” reads the notice.

My.anydesk certificates and passwords revoked

“We have revoked all security-related certificates and systems have been remediated or replaced where necessary,” it continues. “We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.”

AnyDesk says it takes precautions to prevent hackers from exploiting security tokens or passwords in case of compromise. However, the company is taking further steps by revoking all passwords to the my.anydesk.com portal. Not only that, it is advising users to change those passwords if they use the same passwords elsewhere.

“Our systems are designed not to store private keys, security tokens or passwords that could be exploited to connect to end user devices,” according to the memo. “As a precaution, we are revoking all passwords to our web portal, my.anydesk.com, and we recommend that users change their passwords if the same credentials are used elsewhere.”

The notice says there is no evidence that any end-user devices were compromised, adding “we can confirm that the situation is under control and it is safe to use AnyDesk.”

Users are told to download the latest version of the software, with the new code signing certificate.

For anyone curious what kind of attack this was, “this incident is not related to ransomware,” AnyDesk clarifies.

With the remediation plan concluded and the relevant authorities notified, AnyDesk’s memo suggests everyone can move forward.

Stolen data up for sale

However, reports in the infosec blogosphere say that at least two threat actors are already advertising data stolen in the AnyDesk breach.

One such ad allegedly offers login information of 18,317 accounts for use in tech support scams and phishing for $15,000 in cryptocurrency.

AnyDesk has partners worldwide in a wide range of industries. A supply chain attack on the company’s production systems could have dire consequences, as evidenced by last year’s MoveIt incident.

It remains to be seen if hackers manage to capitalize on the stolen data before all AnyDesk users catch wind of the incident and stop using these now-compromised passwords. At least some users have likely re-used their AnyDesk password with other services, meaning they’ll be vulnerable to credential stuffing attacks until they forego the passwords entirely.