Alert icon Keyboard navigation enabled.
Alert icon TAB or Shift+TAB to navigate across. Down ↓ to open menu. ESC to close menu.
Alert icon Down ↓ to select section. Right → to activate. Up ↑ / Down ↓ / Tab to traverse all. ESC to exit.
BeyondTrust
Skip to content Use space or enter to skip.

What can we help you find today?

Instant Results
  • Website Results
  • Technical Documentation

Filter Options

Focus your search

Filtering by

Your recent searches:

Contact Us Chat with Sales Get Support
  • English
  • Deutsch
  • français
  • español
  • 한국어
  • português
  • Home
  • Resources
  • Blog
  • CCleaner Malware Attack Started With Stolen Credentials current page
Link copied

CCleaner Malware Attack Started With Stolen Credentials

Apr 30, 2018
Author:
Stacy Blaiss Hs
Stacy Blaiss
VP of Corporate Marketing
Blog banner default
CCleaner Malware Attack Started With Stolen Credentials
Stacy Blaiss Hs
Stacy Blaiss
VP of Corporate Marketing

The details of a massive data breach impacting Piriform, the company that created the popular system cleanup software CCleaner and was acquired by Avast in July 2017, indicate that the first point of compromise occurred using stolen credentials.  The malware attack infected over 2.3 million users who downloaded or updated the CCleaner app from the official website with the compromised version of the software in August and September last year.

While the specific details are unknown of how exactly the credentials were obtained, Piriform believes attackers reused legitimate employee credentials obtained from previous data breaches.  These valid credentials were used by hackers to access an unattended workstation of one of the CCleaner developers using TeamViewer.  

Using Stolen Credentials

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Once the breach was initiated, the hackers began to infiltrate other computers on the internal network by installing a keylogger on already compromised systems to steal more credentials, and logging in with administrative privileges through RDP.  Within a few short months, the attackers replaced the original version of CCleaner software from its official website with their backdoored version of CCleaner, which was distributed to millions of users at some of the world’s leading technology companies.

The CCleaner breach is yet another example of why remote access and use of stolen credentials continue to be named leading attack vectors for cyber breaches. Bomgar recommends the following steps to prevent or reduce the impact of a breach of this nature:

  • Consolidate all remote access to one tool
  • Require the use of MFA for all privileged users
  • Randomize and rotate credentials frequently

Implement a true ‘security by design’ methodology with Bomgar

White chain icon to symbolize the ability to copy a link
Link copied
Check mark to visually show text has been copied

Bomgar also knows that implementing these kinds of security practices can impact your IT users.  Bomgar’s Secure Access solutions enable businesses to control, monitor, and manage access to critical systems and data, while ensuring that people remain productive and are not impeded in their day to day job tasks. Bomgar allows users to access systems quickly and securely, while defending access credentials and protecting endpoints from threats.

  • Learn more about Bomgar's Secure Access solutions
Latest Posts
  • Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Jun 12, 2026 Hooked on Identity (Part 2): Abusing OAuth Trust Boundaries in Okta
    Blog
    7m
  • Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Jun 9, 2026 Hooked on Identity: Abusing SAML Assertion Inline Hooks in Okta
    Blog
    6m
  • Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Jun 8, 2026 Joining Project Glasswing: Securing the Privilege Backbone of the AI Era
    Blog
    5m
  • The Most Common & Most Dangerous Types of Shadow IT
    Jun 5, 2026 The Most Common & Most Dangerous Types of Shadow IT
    Blog
    19m
  • 14 Password Management Best Practices
    May 28, 2026 14 Password Management Best Practices
    Blog
    12m
Related
  • Paying for the Privilege - How Initial Access Brokers are Selling Access from Under You
    Jun 12, 2023 Paying for the Privilege - How Initial Access Brokers are Selling Access from Under You
    Blog
    1m
  • Admin Rights – Your Achilles Heel
    Oct 20, 2017 Admin Rights – Your Achilles Heel
    Blog
    1m
Share this Article
  • Link
Stay up to Date
Get the latest news, ideas, and tactics from BeyondTrust. You may unsubscribe at any time.

Keep up with BeyondTrust

Customer Support Get Started
  • LinkedIn
  • X
  • Facebook
  • Instagram
  • Add BeyondTrust as a preferred source on Google
  • Privacy
  • Security
  • Manage Cookies
  • Do Not Sell My Data
  • WEEE Compliance

Copyright © 2003 — 2026 BeyondTrust Corporation. All rights reserved. Other trademarks identified on this page are owned by their respective owners. BeyondTrust Corporation is not a chartered bank or trust company, or depository institution. It is not authorized to accept deposits or trust accounts and is not licensed or regulated by any state or federal banking authority.

Prefers reduced motion setting detected. Animations will now be reduced as a result.