Skip to content
Naked Security Naked Security

GoToMyPC suffers ‘very sophisticated’ password attack

Change your password now!

Having problems logging in to GoToMyPC?

Here’s why: Citrix’s remote-access service for laptops and PCs has been hacked, and users are being required to change their passwords.

From an incident report Citrix posted on Saturday and that it’s been updating since:

Unfortunately, the GoToMYPC service has been targeted by a very sophisticated password attack. To protect you, the security team recommended that we reset all customer passwords immediately.

No details have been released, so we’ll have to take Citrix’s word for it when it says that the attack was “very sophisticated.”

Citrix didn’t immediately report the attack: the first thing that happened was that customers noticed they couldn’t log in and were instead being forced to change their passwords. After a few hours, the company warned users of the attack.

Users need to change their passwords, effective immediately. Here’s how: use the “Forgot Password” link located under the GoToMyPC account login.

Make sure it’s a good one, GoToMyPC said, giving these password creation tips:

  • No dictionary words
  • Use a new password, not one used before
  • Use 8 or more characters.
  • Make it complex: randomly add capital letters, punctuation or symbols.
  • Use Leet speak: in other words, substitute numbers for letters that look similar (for example, substitute “0” for “o” or “3” for “E”.
  • What GoToMyPC forgot to mention: don’t reuse passwords!

That leet speak one needs some qualification. As Naked Security has noted before, attackers aren’t going to be thrown off if somebody swaps an “@” for an A.

Cracking passwords is often an automated, painless process: the attackers, rather than sitting around trying to guess our passwords, just hand the job over to computer programs.

Those cracking programs know all the popular passwords (and how popular they are), have huge lists of dictionary words they can consult, and also recognize leet-speak substitutions that people use to add funny ch@ract3rs.

Such attacks are easy to perform and very common.

Besides those tips, GoToMyPC is also recommending that users consider turning on its two-factor authentication (2FA).

Here’s how to set it up.

But please do remember that strong, complex passwords aren’t failsafe: there are many breaches that involve logins ripped off from third-party sites. Keyloggers can also grab even the most complicated, strong passwords.

We’re in the age of mega-user data dumps, with many of the datasets posted for sale online, be it the credentials for users of LinkedIn, Twitter, Tumblr, or MySpace.

People who’ve reused passwords put themselves at risk of having all such accounts hijacked or, in the case of online bank accounts, plundered. So don’t do it!

Bear in mind that even 2FA isn’t foolproof, as we learned last week when the Twitter account of Black Lives Matter activist and politician DeRay Mckesson was hijacked in spite of that extra security step.

(No video? Watch on YouTube. No audio? Click on the [CC] icon for subtitles.)


“Very sophisticated password attack” is marketing speak for “SQL injection on the login field”.


“Use a new password, not one used before”
[ … ]
“What GoToMyPC forgot to mention: don’t reuse passwords!”

Didn’t they mention it as point two?

Also, wouldn’t any 8 character password already be sitting in a rainbow table somewhere? Even if it were salted, surely a 15 or 20 character password is a much better idea?

I also have issue with enforced “complexity” – mixed case, alphanumeric. Not only would I find it easier to remember a password like “Golf course dentist running equinox” over 87!weK4{, I’d bet it would be harder to crack too.


Ah! They might have meant that. I, and other journalists, took it to mean “don’t use the same password you’ve used before with GoToMyPC.” It wasn’t clearly stated that it shouldn’t be a password used *anywhere else besides GoToMyPC.”


Nothing will change until judges start sentencing hackers that do get caught to twenty year prison terms. The laws in effect now have no teeth.


Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!