GoTo, the maker of LastPass, GoTo Meeting, GoToMyPC, and many other tools, said an attacker was able to steal encrypted backups of some customers’ data along with an encryption key for some of those backups in a November intrusion at the company’s third-party cloud backup service.
The company disclosed the intrusion in November, saying that an attacker had gained access to the company’s development environment as well as the storage provider. On Tuesday, GoTo CEO Paddy Srinivasan said the intrusion resulted in the theft of the encrypted backups and encryption key for some customers of Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” Srinivasan said in Tuesday’s update.
“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems.”
GoTo originally disclosed the intrusion on Nov. 30, offering limited details and simply saying that the incident involved an attacker gaining access to the company’s development environment and third-party cloud storage service. That storage service also is used by LastPass, and in December LastPass disclosed its own incident related to the intrusion. In that case, the attacker used some information stolen during a previous intrusion at LastPass in August “to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.”
The exfiltration of customer backups along with the encryption key for some of those databases is a serious issue, and Srinivasan said the company is contacting affected customers directly, and also is changing the security setting for those customers.
“Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable. In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” Srinivasan said.
The recent LastPass incident also involved the theft of encrypted customer data, as well as some unencrypted information, such as URLs.
