GoTo, the remote collaboration and IT software company that owns LastPass, as well as LastPass password vaults, confirmed that attackers took customer data during a security breach in November 2022 (via TechCrunch).
Many of GoTo’s enterprise products were affected, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere. GoTo CEO Paddy Srinivasan writes that a hacker “exfiltrated encrypted backups from a third-party cloud storage service” and obtained the encryption key for some of them – almost two months ago. The information taken varies by product but “may include account usernames, hashed and hashed passwords, some Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”
The attackers did not take encrypted databases for the more famous remote computer software GoToMyPC and Rescue; however, “MFA arrangements were affected for a small subset of their customers.”
GoTo appears to be contacting affected customers directly to provide additional information as well as support on what actions to take. Their account passwords will be reset “out of an abundance of caution,” and MFA will also be reauthorized. Srinivasan also wrote that affected accounts will be moved to another Identity Management Platform for added security, one with “more robust authentication and login security options.”
Our first hit of the breach was in August, when LastPass notified users that a developer account had been compromised by an unauthorized party. It appears that information taken during that attack in November was used, when hackers managed to access customer vaults – something that was only announced publicly late on Thursday, December 22, when lots of people getting ready to take a holiday break.
Cybersecurity experts tore apart LastPass’s response to the leak, accusing the company of not being transparent about the severity of the situation and not admitting it failed to contain the breach.
Now, Srinivasan is dealing with a major fall that is only getting worse. But the CEO is noting customers that GoTo does not store their full credit card and banking details and does not collect PII such as date of birth, address, and Social Security numbers. LastPass also played down a separate incident in 2021 where customers were blocked by persistent unauthorized login attempts.