GoTo admits hackers stole customer backups in LastPass breach
In addition to losing encrypted backups such as hashed passwords, the firm has confirmed hackers stole an encryption key relating to the data
Communications firm GoTo has revealed that threat actors stole encrypted customer backups and sensitive product information in a November 2022 attack, which also affected subsidiary LastPass.
The firm has stated that account usernames, salted and hashed passwords, and multi-factor authentication (MFA) settings were included in the stolen information which was taken from a third-party cloud storage service in the November incident.
Automate security intelligence with IBM Security QRadar SIEM
Simplify and improve threat detection, investigation and response with reducing overheadsFree Download
Although this customer backup data is encrypted, the company believes that the threat actor behind the attack also stole an encryption key for a portion of the stolen backups.
GoTo stated that the key related to a “portion” of the data, but did not elaborate on which files are vulnerable to decryption by the threat actor.
As GoTo does not store payment details, nor collect or store user addresses, dates of birth, or other such identifiable information, data of this kind was not included in the breach.
GoTo subsidiary LastPass had commenced an investigation in collaboration with Mandiant following a breach in November 2022 that saw threat actors access a third-party cloud storage system used by both LastPass and GoTo.
“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems," said Paddy Srinivasan, CEO at GoTo, in a blog post.
"We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their account."
GoTo has stated it will provide advice for next steps for making affected accounts secure. Customers who were impacted by the breach will have passwords reset as a precautionary measure, and MFA settings reauthorised.
The firm has also committed to migrating accounts to an identity management platform, to further secure accounts against possible future action.
This is the third attack impacting GoTo and its subsidiaries in the past 12 months. In August 2022 a hacker exfiltrated LastPass source code, though Karim Toubba, CEO at the firm, denied that customer information had been impacted in this breach.
Since then, the LastPass admitted encrypted password vaults were stolen, and that names, email addresses, phone numbers and payment information. This has prompted concerns that stolen data could be used for mass phishing campaigns.
“Any breach is unfortunate for all those impacted,” said Javvad Malik, lead security awareness advocate at KnowBe4.
“While in this case the data was encrypted, the fact that the decryption keys were also stolen renders the encryption worthless. Therefore, impacted customers should treat this as a complete breach of all data and take the necessary steps to protect themselves from any fallout.
“This can include changing their passwords and being on the lookout for any phishing or social engineering scams which can be crafted using the stolen data.”
IT Pro has approached GoTo for comment.
2023 Strategic roadmap for data security platform convergence
Capitalise on your data and share it securely using consolidated platformsFree Download
The 3D trends report
Presenting one of the most exciting frontiers in visual cultureFree Download
The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana
Cost savings and business benefitsFree Download
Leverage automated APM to accelerate CI/CD and boost application performance
Constant change to meet fast-evolving application functionalityFree Download