Posted on January 25, 2023 at 5:10 PM
The parent company of a popular password manager, LastPass, known as GoTo (formerly LogMein), recently released new details about the recent breach of LastPass’ systems. According to the firm, the breach — confirmed by LastPass on November 30th, 2022 — resulted in the theft of customers’ backups. However, the parent firm also confirmed that the stolen data was encrypted.
Upon confirming the breach in November, LastPass’ CEO, Karim Toubba, revealed that an unauthorized party managed to access some of the customer data stored in a third-party cloud service. The service was shared by both GoTo and LastPass at the time of the breach.
Allegedly, the hackers used information stolen during an even earlier breach, which took place in August 2022, to gain access to the shared cloud data. At the time when LastPass revealed this information, GoTo simply stated that it was investigating the matter without revealing any details. It did, however, share that it engaged a leading security company, Mandiant, and that law enforcement was alerted of the incident.
Other than that, all that the firm was able to say at the time was that they had detected unusual activity in the development environment and third-party cloud storage service. While knowing that the products and services were affected, the company opted to keep them fully functional. Lastly, it added at the time that it would deploy enhanced security measures and monitoring capabilities across its infrastructure to detect any new threat actor activity and hopefully prevent it.
Two months later, LastPass’ parent company posted a statement revealing that several of its products were impacted by the breach. One of them was Central, a business communications tool, as well as Join.me, which is commonly used for online meetings. Next, the incident also impacted a hosted VPN service called Hamachi, and lastly, the remote access tool, RemotelyAnywhere.
Furthermore, the company noted that the hackers managed to exfiltrate encrypted backups from the services belonging to the users. Not only that, but they also managed to get the company’s encryption key for securing data. Delving into further detail, the company stated that the affected information varies from one product to another.
As such, it may include account usernames, a portion of multi-factor authentication settings, salted and hashed passwords, and even certain product settings and licensing data. The confirmation came directly from the CEO of GoTo, Paddy Srinivasan.
The firm’s CEO continued by saying that Rescue and GoToMyPC encrypted databases were not exfiltrated. However, MFA settings belonging to a small subset of their users were still impacted.
The confirmation came two months after the original breach was announced, so there is already quite a delay. More than that, GoTo did not provide any remediation guidance or even advice for affected users. It did confirm that the company doesn’t store its users’ bank details or credit card data, and it does not collect personal information, such as a home address, date of birth, Social Security number, and alike.
Meanwhile, during the LastPass breach, the hackers did manage to steal all kinds of sensitive data, including customers’ encrypted password vaults, their names, phone numbers, and email addresses, as well as certain billing data.
Even after GoTo’s statement, it remains unknown how many users were affected by the breach. GoTo has approximately 800,000 customers, but that also includes enterprises. This was confirmed by Jen Mathews, GoTo’s public relations director. Apart from the given statement, the company and its representatives — including the spokesperson, Nikolett Bacso Albaum — declined to provide further comments or answer additional questions.
The firm’s CEO only added that GoTo is contacting affected users and that those who were impacted should reset their passwords and reauthorize MFA settings. The company itself intends to reset the passwords of affected users, and it is migrating their accounts onto an enhanced Identity Management Platform.
That way, the firm will be able to offer greater security, with more robust authentication and login-based security options.