face palm: After the LastPass hack, unknown hackers managed to compromise the servers of other services provided by LastPass’ parent company GoTo. A new letter from the CEO explains the true extent of the security incident but doesn’t offer an actual remedy to its customers.
GoTo, the company formerly known as LogMeIn that acquired LastPass in 2021, has released a new statement regarding security breach It happened back in August 2022. According to GoTo CEO Paddy Srinivasan, after hacking into LasPass servers, anonymous cybercriminals managed to compromise GoTo’s entire suite of services and products.
The ongoing investigation into the LastPass breach determined that “a threat agent stole encrypted backups from a third-party cloud storage service,” Srinivasan Books. The aforementioned cloud service was hosting data for the following GoTo product: centralized business communications tool, online meeting service Join.me, VPN service Hamachi, and remote access tool RemotelyAnywhere.
Furthermore, the black hat hackers managed to obtain an encryption key with which they could decrypt a “part” of the stolen encrypted backups. Affected data varies by product and “may include” account usernames, salted and hashed passwords, and part of multi-factor authentication (MFA) settings, as well as some product settings and licensing information, Srinivasan said.
GoTo’s CEO said the company does not store or collect full credit card or banking details or end-user personal information such as birthdates, home addresses or Social Security numbers on its servers. LastPass, on the other hand, was collecting and storing “company names, end-user names, billing addresses, email addresses, phone numbers, and IP addresses” of its customers prior to the breach.
For now, GoTo only provides “recommendations” for affected users. The company still contacts each customer directly to “provide additional information and recommend actionable steps for them to take extra security with their account.”
GoTo said that all accounts’ passwords have been salted and hashed according to best practices. Out of an abundance of caution, GoTo will also “reset affected users’ passwords and/or re-authorize MFA settings where applicable”. User accounts will be migrated to an enhanced identity management platform, to provide additional security with more robust authentication mechanisms.
GoTo has 800,000 enterprise and private users, but the company still refuses to disclose how many people were affected by the LastPass breach.