IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

GoTo admits hackers stole customer backups in LastPass breach

In addition to losing encrypted backups such as hashed passwords, the firm has confirmed hackers stole an encryption key relating to the data

A gloved cartoon hand inserts a key, the teeth of which are asterisks, into a keyhole against a red background

Communications firm GoTo has revealed that threat actors stole encrypted customer backups and sensitive product information in a November 2022 attack, which also affected subsidiary LastPass.

The firm has stated that account usernames, salted and hashed passwords, and multi-factor authentication (MFA) settings were included in the stolen information which was taken from a third-party cloud storage service in the November incident. 

Related Resource

Automate security intelligence with IBM Security QRadar SIEM

Simplify and improve threat detection, investigation and response with reducing overheads

Whitepaper cover with title, logo on black header banner, and bar graphsFree Download

Although this customer backup data is encrypted, the company believes that the threat actor behind the attack also stole an encryption key for a portion of the stolen backups.

GoTo stated that the key related to a “portion” of the data, but did not elaborate on which files are vulnerable to decryption by the threat actor.

As GoTo does not store payment details, nor collect or store user addresses, dates of birth, or other such identifiable information, data of this kind was not included in the breach.

The company has also warned that backups relating to other services it runs were stolen, such as its virtual private network (VPN) product Hamachi and remote access applications Central and Pro.

GoTo subsidiary LastPass had commenced an investigation in collaboration with Mandiant following a breach in November 2022 that saw threat actors access a third-party cloud storage system used by both LastPass and GoTo.

“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems," said Paddy Srinivasan, CEO at GoTo, in a blog post.

"We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their account."

GoTo has stated it will provide advice for next steps for making affected accounts secure. Customers who were impacted by the breach will have passwords reset as a precautionary measure, and MFA settings reauthorised.

The firm has also committed to migrating accounts to an identity management platform, to further secure accounts against possible future action.

This is the third attack impacting GoTo and its subsidiaries in the past 12 months. In August 2022 a hacker exfiltrated LastPass source code, though Karim Toubba, CEO at the firm, denied that customer information had been impacted in this breach. 

Since then, the LastPass admitted encrypted password vaults were stolen, and that names, email addresses, phone numbers and payment information. This has prompted concerns that stolen data could be used for mass phishing campaigns.

“Any breach is unfortunate for all those impacted,” said Javvad Malik, lead security awareness advocate at KnowBe4.

“While in this case the data was encrypted, the fact that the decryption keys were also stolen renders the encryption worthless. Therefore, impacted customers should treat this as a complete breach of all data and take the necessary steps to protect themselves from any fallout. 

“This can include changing their passwords and being on the lookout for any phishing or social engineering scams which can be crafted using the stolen data.”

IT Pro has approached GoTo for comment.

Featured Resources

2023 Strategic roadmap for data security platform convergence

Capitalise on your data and share it securely using consolidated platforms

Free Download

The 3D trends report

Presenting one of the most exciting frontiers in visual culture

Free Download

The Total Economic Impact™ of IBM Cloud Pak® for Watson AIOps with Instana

Cost savings and business benefits

Free Download

Leverage automated APM to accelerate CI/CD and boost application performance

Constant change to meet fast-evolving application functionality

Free Download

Recommended

LastPass customer password vaults stolen, targeted phishing attacks likely
Security

LastPass customer password vaults stolen, targeted phishing attacks likely

23 Dec 2022
LastPass admits 'elements' of customer data accessed in breach
hacking

LastPass admits 'elements' of customer data accessed in breach

1 Dec 2022
Revealed: The top 200 most common passwords of 2022
cyber security

Revealed: The top 200 most common passwords of 2022

17 Nov 2022
Building a better password strategy for your business
Whitepaper

Building a better password strategy for your business

26 Oct 2022

Most Popular

Yandex data breach reveals source code littered with racist language
data breaches

Yandex data breach reveals source code littered with racist language

30 Jan 2023
Dutch hacker steals data from virtually entire population of Austria
data breaches

Dutch hacker steals data from virtually entire population of Austria

26 Jan 2023
What's powering Britain’s fibre broadband boom?
Network & Internet

What's powering Britain’s fibre broadband boom?

3 Feb 2023