LastPass Owner GoTo Confirms Hackers Stole Customers’ Backups

data breach, security breaches

It gets worse. Confirmation from LastPass owner GoTo that hackers stole encrypted backups and encryption key for portion of them

GoTo (formerly known as LogMeIn), the owner of troubled LastPass, has issued a worrying security update this week.

GoTo had two months ago confirmed that along with LastPass’ password vaults, it had customer data taken by attackers during the November 2022 security breach.

LastPass is currently dealing with the fallout from another security breach. Just before Christmas, LastPass CEO Karim Toubba had issued an update on the security breach that took place in August 2022, in which it admitted hackers had stolen source code and other technical data that had been stored in a third-party cloud service shared by LastPass and GoTo.

LastPass Logo

GoTo update

In December Toubba admitted that the hackers had actually obtained the cloud storage access key and dual storage container decryption keys, and the hackers had used information stolen from the August breach to further compromise the companies’ shared cloud data.

LastPass warned “the threat actor copied information from backup that contained basic customer account information and related metadata.”

Now the CEO of LassPass owner GoTo, Paddy Srinivasan, confirmed in an updated statement that cybercriminals had stolen customers’ encrypted backups during the recent breach of its systems.

The cyberattack impacted a number of GoTo’s products, including business communications tool Central; online meetings service Join.me; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere,” wrote Srinivasan.

“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” Srinivasan added. “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

“In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” he wrote.

GoTo’s Srinivasan said that at this time, there is no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems.

Contacting customers

He confirmed that GoTo is contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts.

He added that even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, GoTo will also reset the passwords of affected users and/or reauthorise MFA settings where applicable.

“In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” wrote Srinivasan.

He reminded customers GoTo (unlike LassPass) does not store full credit card or bank details, and does not collect or use end user personal information, such as date of birth, home address, or Social Security numbers.

GoTo did not say how many customers are affected, but it is reported that firm has 800,000 customers in total.

GoTo acquired LastPass in October 2015 in a deal valued between $110m and $125m, and in December 2021 it said it would spin out LastPass as a separate cloud security specialist.

Previous breaches

LastPass has suffered a number of security breaches in the past.

In January 2016 a security researcher (Sean Cassidy) cast doubts on the security of LastPass when he claimed he had discovered a way of gaining login credentials, and even a two factor authentication code, through a phishing attack.

Cassidy went public and publish his exploit on Github after notifying the firm two months previously, but he was not satisfied by their response.

Prior to that in June 2015, LastPass suffered a major data breach, in which the stolen data could have allowed hackers to guess weak master passwords.

The company said at the time that as a precaution it was prompting all users to change their master passwords.

Third-party passwords stored with LastPass were not affected at the time.