IT management software firm GoTo on Tuesday said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach that also affected its LastPass affiliate.
GoTo chief executive Paddy Srinivasan confirmed the security breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.
In a notice posted online, Srinivasan the encrypted backups were related to multiple GoTo-owned software products:
“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.
In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
Srinivasan said the company has no evidence of exfiltration affecting any other GoTo products or any of GoTo’s production systems.
Even though all account passwords were salted and hashed in accordance with best practices, Srinivasan said GoTo plans to reset the passwords of affected users and/or reauthorize MFA settings where applicable.
“In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” the GoTo CEO said.
In August last year, GoTo affiliate LastPass disclosed a data breach that included the theft of source code and proprietary technical information. In November, GoTo said it was also affected by that hack, which is linked to an unnamed third-party cloud security vendor.
In a worrisome update in late December, the password management outfit admitted the hackers behind the August breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.
LastPass said the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.
In addition, the unidentified actor was also able to copy a backup of customer vault data from an encrypted storage container.
The exposed container contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.
Related: LastPass Says Password Vault Data Hijacked in Data Breach
Related: LastPass Source Code Stolen in Data Breach
Related: GoTo, LastPass Notify Customers of New Data Breach Related to Previous Incident
Related: LastPass Found No Code Injection Attempts Following August Data Breach