AnyDesk Security Breach 2024: What Actually Happened

In late December 2023, attackers breached AnyDesk's production systems. Source code and a private code signing certificate were stolen. The AnyDesk security breach wasn't disclosed publicly until February 2, 2024 — roughly six weeks after the initial compromise. Here's what happened, what was actually compromised, and what IT teams should do today.

The numbers behind this: The average cost of a data breach reached $4.88 million globally in 2024 — the largest single-year increase since the COVID pandemic. Breaches involving stolen credentials take an average of 292 days to identify and contain. (IBM Cost of a Data Breach Report, 2024)

What Was the AnyDesk Security Breach — and When Did It Start?

The AnyDesk security breach began in late December 2023, when attackers gained unauthorized access to AnyDesk's production servers. This was not a ransomware attack — no ransom demand was made, no data was encrypted. It was a targeted intrusion aimed at exfiltrating high-value assets from AnyDesk's core infrastructure.

The breach was detected in mid-January 2024 during an internal security audit. AnyDesk immediately engaged CrowdStrike for incident response. The public disclosure didn't come until February 2, 2024 — after AnyDesk had already quietly shipped version 8.0.8 on January 29, signed with a new certificate, under the cover of a maintenance window.

Verified Timeline

| Date | Event | |------|-------| | Late December 2023 | Attackers gain access to AnyDesk production systems | | Mid-January 2024 | AnyDesk detects the breach via internal security audit | | January 29, 2024 | AnyDesk releases Windows v8.0.8 with new signing certificate; portal maintenance begins | | Jan 29 – Feb 1, 2024 | Portal maintenance window — login disabled | | February 2, 2024 | AnyDesk publishes official public statement | | February 3, 2024 | Resecurity reports 18,317 AnyDesk credentials for sale on Exploit[.]in | | February 6–7, 2024 | DigiCert revokes the "philandro Software GmbH" certificate |

~6 weeksbetween initial compromise (Dec. 2023) and public disclosure (Feb. 2, 2024)

What Was Compromised in the AnyDesk Security Breach?

Four elements were confirmed as compromised in the AnyDesk security breach.

1. Production server access. Attackers obtained unauthorized access to AnyDesk's production servers — the company's core infrastructure.

2. Source code. AnyDesk's proprietary source code was stolen. This exposes the internal software architecture and could facilitate discovery of future vulnerabilities.

3. Private code signing certificate. The certificate issued to "philandro Software GmbH" (serial: 0dbf152deaf0b981a8a938d53f769db8, valid from December 13, 2021) was compromised. This certificate allowed code to be signed as if it came officially from AnyDesk.

4. Two relay servers. Sources indicate that two relay servers located in Europe were affected — though sources disagree on the exact geographic scope.

The real-world risk of the stolen certificate: Cybereason identified over 500 samples of Agent Tesla malware signed with the compromised philandro Software GmbH certificate appearing on VirusTotal from June 2022 onward. Those malicious files appeared legitimate to antivirus engines. AnyDesk notes there's no direct evidence these signatures occurred after the breach — but the supply-chain risk is documented, not theoretical. (Cybereason, 2024)

What Was NOT Compromised

AnyDesk officially stated, following the CrowdStrike investigation, that the following were not affected:

• Customer session and connection data — session authentication tokens exist only on end-user devices and never transit AnyDesk's servers
• End-user devices — no evidence any endpoint was compromised
• Customer personal data — AnyDesk stated: "We have no evidence that any customer data has been exfiltrated"
• Malicious code modifications — code review found no alterations
• Malicious software updates — software downloaded from official sources was declared safe

The 18,317 Dark Web Credentials: What Actually Happened?

On February 3, 2024 — one day after AnyDesk's official disclosure — cybersecurity firm Resecurity reported that 18,317 credentials associated with AnyDesk customer accounts had appeared for sale on the Exploit[.]in forum, listed at $15,000 by a threat actor known as "Jobaaaaa."

This point deserves a critical distinction that many reports missed.

These credentials almost certainly did not come from AnyDesk's server breach. Resecurity states this explicitly in their own report: these compromised credentials "are widely believed to be the result of infostealer infections" — meaning malware on individual users' machines harvested saved passwords, not server-side theft. Resecurity acknowledges the uncertainty directly: "the sources and methods for acquiring data of this nature may vary depending on threat actors' unique TTPs."

The timing is telling: the credentials appeared on Exploit[.]in on February 3 — one day after AnyDesk declared the incident resolved. This suggests an opportunistic monetization campaign, exploiting media coverage to offload pre-existing stolen data. The "Jobaaaaa" actor (active since 2021 on Exploit[.]in) was never attributed to AnyDesk's infrastructure compromise.

Bottom line: The Resecurity credential leak and the AnyDesk production breach are two overlapping but distinct incidents. Treating them as one event — as many reports did — gives an inaccurate picture of what happened.

18,317AnyDesk credentials on Exploit[.]in (likely source: third-party infostealers, not AnyDesk's servers)

How Did AnyDesk Respond to the Security Breach?

AnyDesk's response was technically swift, though criticized for initial opacity on the timeline.

Immediate technical actions:

1. Engaged CrowdStrike for full forensic investigation and incident response
2. Remediated and replaced compromised production systems
3. Released Windows version 8.0.8 on January 29, 2024, signed with a new certificate: "AnyDesk Software GmbH" (serial: 0a8177fcd8936a91b5e0eddf995b0ba5)
4. Revoked all compromised security certificates — confirmed by DigiCert on February 7, 2024
5. Forced mandatory password reset for all my.anydesk.com portal users
6. Contacted affected customers directly

Note on binaries signed with the old certificate: After revocation, Microsoft SmartScreen began flagging binaries signed with the old philandro Software GmbH certificate as potentially malicious. Any AnyDesk installation below version 8.0.8 using the old certificate should be treated as untrusted.

Industry Context: Other Remote Desktop Incidents in 2024

The AnyDesk security breach didn't happen in isolation. Two other significant incidents hit the remote access sector in the same timeframe.

TeamViewer — June 2024 (APT29): Attackers affiliated with APT29 (Russian SVR, also known as "Midnight Blizzard") compromised TeamViewer's internal corporate IT network. The incident was contained to the employee directory — product environments and customer data were not affected. Microsoft assisted with the response. Notable: TeamViewer had also been compromised by Chinese hackers (Winnti group) in 2016 — and didn't disclose it publicly for three years, until 2019.

ConnectWise ScreenConnect — February 2024 (separate CVE): On February 19, 2024, ConnectWise disclosed CVE-2024-1709, a critical (CVSS 10.0) authentication bypass affecting ScreenConnect versions 23.9.7 and earlier. LockBit 3.0 affiliates exploited it at scale against MSPs. Key distinction: this was a product CVE, not a vendor infrastructure breach — mechanically different from the AnyDesk incident. CISA added CVE-2024-1709 to its Known Exploited Vulnerabilities catalog on February 22, 2024.

What these incidents reveal: Remote access tools are a high-priority target. Whether via infrastructure compromise (AnyDesk), internal network intrusion (TeamViewer), or product CVE (ConnectWise), the absence of a documented incident doesn't guarantee the absence of risk — it reflects what's been disclosed. (Sophos Active Adversary Report, 2024)

90%of IR incidents handled by Sophos in 2023 involved abuse of the RDP protocol

What IT Teams Should Do Today

If your organization uses AnyDesk, here are the actions to take — in priority order.

Immediate actions (if not already done):

1. Verify installed versions. All Windows installations must be version 8.0.8 or later, signed with the "AnyDesk Software GmbH" certificate. Any installation using the old "philandro Software GmbH" certificate must be uninstalled and reinstalled from anydesk.com/downloads.
2. Audit unmanaged installations. Check that employees haven't installed older AnyDesk versions on personal machines used for work.
3. Confirm portal password resets. AnyDesk forced this change, but verify that no service accounts or shared accounts escaped the reset.

Medium-term governance actions:

4. Assess GDPR/NIS2 exposure. If your organization is subject to GDPR, evaluate whether the theoretical portal credential exposure constitutes an incident requiring notification to your supervisory authority. GDPR Article 33 requires notification within 72 hours of a breach likely to affect natural persons. NIS2 imposes similar obligations on digital infrastructure providers since October 2024.
5. Enable two-factor authentication. AnyDesk offers 2FA for remote access sessions — enable it on all accounts that don't yet have it.
6. Review your RMM tool allowlist. Define an explicit whitelist of approved remote access tools and block non-approved executables. CISA has published specific guidance on malicious use of RMM tools.

For teams evaluating a migration:

If the AnyDesk security breach has triggered a review of your remote access tooling, our comparison of the 7 best AnyDesk alternatives in 2026 covers Splashtop, RustDesk, TeamViewer, and Sobrii Remote with verified pricing and honest security records.

Regulatory Implications: GDPR and NIS2

The AnyDesk security breach raises specific questions for European organizations.

GDPR (Article 33): If AnyDesk qualifies as a data processor under GDPR for your data, the compromise of its production systems may constitute a breach requiring notification to your supervisory authority within 72 hours — even in the absence of proof of customer data exfiltration. AnyDesk's "no evidence of exfiltration" statement mitigates the risk but may not eliminate the obligation, depending on your national authority's interpretation.

NIS2: In effect since October 2024 across most EU member states, NIS2 requires digital infrastructure providers — a category that covers a remote desktop software vendor — to issue an early warning within 24 hours, a full incident report within 72 hours, and a final report within one month. Enterprise customers using AnyDesk must also evaluate whether this incident constitutes a "significant incident" for their own NIS2 reporting obligations.

FAQ — AnyDesk Security Breach

When did the AnyDesk breach start? The initial compromise occurred in late December 2023. It was detected by AnyDesk in mid-January 2024 during an internal security audit, and publicly disclosed on February 2, 2024 — approximately six weeks after the initial breach.

Is AnyDesk safe to use today? AnyDesk replaced compromised systems, revoked and replaced certificates, and forced a portal password reset. CrowdStrike conducted the forensic investigation. Version 8.0.8 and later with the new certificate is considered safe by AnyDesk. No malicious code modifications were found. That said, each organization should assess its own residual risk tolerance, particularly in regulated environments.

Did the 18,317 stolen credentials come from AnyDesk's servers? Almost certainly not. Resecurity, which reported the leak, states these credentials are "widely believed to be the result of infostealer infections" — malware on individual users' machines. They appeared on the dark web one day after AnyDesk's disclosure, suggesting an opportunistic campaign rather than direct server-side exfiltration.

Who was responsible for the AnyDesk security breach? The attacker's identity was never publicly disclosed by AnyDesk and has not been confirmed through official attribution. No specific APT group was named in official reports. Any nation-state attribution found in secondary sources is speculative.

Does our organization need to notify a data protection authority? This depends on your jurisdiction, AnyDesk's role in your data processing chain, and your national authority's interpretation. As a general rule, if AnyDesk processes personal data on your behalf, the compromise of its systems may trigger GDPR notification requirements. Consult your DPO.

Did AnyDesk change its pricing after the breach? Yes — but independently of the breach. In October 2025, AnyDesk switched to connection-based licensing and raised prices 26–40%. Current plans (annual billing) start at approximately $28.90/month for the Solo tier.

---

The AnyDesk security breach illustrates a structural risk inherent to remote access tools: their architecture makes them high-value targets, and a vendor compromise can have downstream consequences for the entire user chain — even without direct customer data exfiltration. For IT teams, the lesson isn't to avoid remote access tools. It's to audit them with the same rigor as any other critical infrastructure.

Compare remote access tools: TeamViewer vs AnyDesk security deep-dive →

---

Next Step: Evaluate Your Remote Access Solution

Sobrii Remote is a remote access solution built for IT teams managing Windows device fleets. Every session includes full device context — battery status, CPU/GPU health, storage, software inventory — before the connection is established. TLS 1.3 architecture, AES-256 encryption, data hosted in France on Azure.

Download Sobrii Remote — secure remote access for IT fleets →

Managing 50+ Windows devices and looking for a consolidated fleet view? Sobrii Platform combines asset management, fleet health, and remote access in a single dashboard.