People meeting online via video.

AnyDesk Security Crisis: Accounts for Sale on the Dark Web Following Production Server Breach

AnyDesk confirmed a cyberattack on February 2, 2024, that resulted in unauthorised access to the company’s production systems. This security breach allowed the attackers to successfully gain the private code signing keys in addition to the source code.

AnyDesk is a popular remote access solution that allows users to connect easily with computer systems via networks or the internet. Enterprises have widely adopted it as a go-to solution for remote support and efficient access to shared servers.

The problem was disclosed by the German corporation after it conducted a security check. Even though it is not a ransomware attack, the company reported it to the law enforcement agencies immediately.

Although unrelated to ransomware, the breach prompted the revocation and replacement of security certifications. This includes the possible loss of AnyDesk’s prior code signing certificate.

AnyDesk mentioned in a statement:

We have revoked all security-related certificates and systems have been remediated or replaced where necessary. We will be revoking the previous code signing certificate for our binaries shortly and have already started replacing it with a new one.

AnyDesk has revoked all login credentials to its online site, my.anydesk[.]com, as a safety approach. Users are strongly recommended to change their passwords, particularly if they have been used on other online sites.

Uncovering AnyDesk’s Security Breach sheds light on supply chain vulnerabilities

Cybercriminals often target remote desktop apps to get control of devices. Their malicious activities might vary from emptying bank accounts and stealing sensitive data to remotely executing multiple malicious acts.

Cybersecurity professionals moved quickly to address the incident after finding it during a security audit and conducting a comprehensive remediation strategy. Although an exact date of the breach is yet unknown, AnyDesk’s tweet about maintenance on January 30 suggests that it may have happened earlier.

A maintenance alert from AnyDesk
A maintenance alert from AnyDesk

AnyDesk became aware of the attack after they saw unusual activity on their production systems. After conducting a thorough security assessment, they discovered that their systems had been hacked. In response, they quickly set up an incident response strategy in association with security experts.

AnyDesk said that its systems do not save sensitive information like private keys, security tokens, or passwords. This provides a strong obstacle against potential breach by threat actors targeting end-user devices.

AnyDesk Credentials sold on the Dark Web

As the cyberattacks fallout has grown, it has gotten more complicated. There are known threat actors selling hacked AnyDesk credentials on the Dark Web.

The cybersecurity firm Resecurity discovered 18,317 AnyDesk client credentials available for purchase on the dark web site This highlights the need of putting mitigation mechanisms in place to solve password vulnerabilities.

Recognising that the data may be used for phishing and technical assistance scams, the vendor contacted Resecurity and offered to trade the compromised data for a $15,000 cryptocurrency.

Attackers on the dark web are offering AnyDesk credentials
Attackers on the dark web are offering AnyDesk credentials (Resecurity)

Cybercriminals could be rushing to profit from these customer credentials, according to Resecurity, even though it’s yet unknown how they might access them. This urgency comes from the likelihood of password resets, forcing quick monetisation.

The breach might potentially disclose personal information belonging to AnyDesk customers. This comprises licence keys, the number of active connections, session durations, customer ID, contact information, email addresses associated with the account, and the total number of hosts running remote access management software.

The availability of hacked data on the Dark Web can encourage cybercriminal activity, such as targeted phishing attacks. Hackers with detailed user data are capable of carrying out complex attacks, replicating the disastrous outcomes observed in instances such as the SolarWinds data breach.

According to Resecurity’s assessment, Dark Web criminals are showing a significant and growing interest in collecting AnyDesk client credentials. The attractiveness of gaining these credentials in bulk appeals to players involved in a variety of illegal activities, including spam, online banking theft, business email compromise (BEC), and account takeover (ATO) activities.


All versions of AnyDesk’s tool obtained through authorised channels are safe to use, as the company guarantees its consumers’ safety. Installing the latest versions—7.0.15 and 8.0.8—is recommended for users seeking improved security.

Threat actors were able to get access to production systems, even though company claims that credentials were not compromised in the attack. As a result, it is strongly suggested that all AnyDesk users change their passwords. Furthermore, if they use the same password on other websites, users should update it there as well.

AnyDesk has a useful whitelist option, allowing users to trust particular persons by whitelisting their AnyDesk IDs. This provides that only authorised personnel have access to the authorised user’s device. By whitelisting a namespace and limiting connections to IDs included inside it, businesses may improve security.

It is advised that you push for the implementation of extra security measures, such as Multi-Factor Authentication. It is recommended to watch odd changes in passwords and MFA settings for client accounts, suspicious sessions, and communications pretending to be from other companies that include AnyDesk account information.

Help your colleagues keep a security-first mindset and boost your human firewall by starting your Phishing Tackle security awareness training today with our two-week free trial.

Recent posts