LastPass Owner GoTo Says Hackers Stole Encrypted Customer Backups and Keys

Image: GoTo

GoTo, previously known as LogMeIn, has started notifying customers that a November 2022 hack of its development environment resulted in bad actors taking off with encrypted backups of customer data and an encryption key for a portion of the stolen information — reports BleepingComputer.

The company provides cloud-based remote work, collaboration, and IT support tools. GoTo also owns LastPass, another victim of the November breach that lost not only customers’ personal information but encrypted password vaults as well. The hack targeted a third-party cloud storage service used by both GoTo and LastPass.

In an email shared with BleepingComputer by a reader, GoTo wrote:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility. ln addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data.

According to GoTo, the incident affected data backups belonging to customers of its Central and Pro product tiers. The stolen information includes account usernames and even account passwords. User passwords were salted and hashed, making them exponentially difficult — if not impossible — to decrypt.

GoTo added that users’ Deployment and provisioning data, some Multi-Factor Authentication information, and One-To-Many scripts belonging to Central customers were also taken.

In addition, the threat actors made off with users’ personal information used for licensing and purchasing, including email addresses, phone numbers, billing addresses, and even the last four digits of credit card numbers.

As a precautionary measure, GoTo is resetting passwords for impacted Central and Pro accounts. Alongside the password reset, users are also being migrated to GoTo’s enhanced Identity Management Platform. Some users may also be prompted to update their Multi-Factor Authentication settings.

The company went on to tout Central and Pro accounts’ layers of defence, including peer-to-peer technology, end-to-end encryption, and TLS 1.2, which provide additional security during remote sessions and prevent bad actors from using the stolen data to intercept or eavesdrop on transmissions and data transfers.

Per BleepingComputer, the hackers could still decrypt the stolen data backups using the encryption key they extracted if GoTo used a symmetrical encryption protocol like AES. GoTo, meanwhile, said its investigation of the incident and the fallout from it is ongoing.