GoTo admits hackers stole customer backups in LastPass breach

Communications firm GoTo has revealed that threat actors stole encrypted customer backups and sensitive product information in a November 2022 attack, which also affected subsidiary LastPass.

The firm has stated that account usernames, salted and hashed passwords, and multi-factor authentication (MFA) settings were included in the stolen information which was taken from a third-party cloud storage service in the November incident.

Although this customer backup data is encrypted, the company believes that the threat actor behind the attack also stole an encryption key for a portion of the stolen backups.

GoTo stated that the key related to a “portion” of the data, but did not elaborate on which files are vulnerable to decryption by the threat actor.

As GoTo does not store payment details, nor collect or store user addresses, dates of birth, or other such identifiable information, data of this kind was not included in the breach.

The company has also warned that backups relating to other services it runs were stolen, such as its virtual private network (VPN) product Hamachi and remote access applications Central and Pro.

GoTo subsidiary LastPass had commenced an investigation in collaboration with Mandiant following a breach in November 2022 that saw threat actors access a third-party cloud storage system used by both LastPass and GoTo.

“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems," said Paddy Srinivasan, CEO at GoTo, in a blog post.

"We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their account."

GoTo has stated it will provide advice for next steps for making affected accounts secure. Customers who were impacted by the breach will have passwords reset as a precautionary measure, and MFA settings reauthorised.

The firm has also committed to migrating accounts to an identity management platform, to further secure accounts against possible future action.

This is the third attack impacting GoTo and its subsidiaries in the past 12 months. In August 2022 a hacker exfiltrated LastPass source code, though Karim Toubba, CEO at the firm, denied that customer information had been impacted in this breach.

Since then, the LastPass admitted encrypted password vaults were stolen, and that names, email addresses, phone numbers and payment information. This has prompted concerns that stolen data could be used for mass phishing campaigns.

“Any breach is unfortunate for all those impacted,” said Javvad Malik, lead security awareness advocate at KnowBe4.

“While in this case the data was encrypted, the fact that the decryption keys were also stolen renders the encryption worthless. Therefore, impacted customers should treat this as a complete breach of all data and take the necessary steps to protect themselves from any fallout.

“This can include changing their passwords and being on the lookout for any phishing or social engineering scams which can be crafted using the stolen data.”

IT Pro has approached GoTo for comment.