On Tuesday, GoTo (formerly LogMeIn), the parent company of LastPass, announced that an unknown party had successfully accessed encrypted backups of certain customers’ data, along with the encryption key for some of these backups, in a November 2022 incident. The company has identified that a third-party cloud storage service was targeted, which has impacted the Central, Pro, and join.me, Hamachi, and RemotelyAnywhere products.
According to a statement by GoTo’s Paddy Srinivasan, the data that may have been affected by this incident includes account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information. Additionally, it has been noted that MFA settings for a subset of Rescue and GoToMyPC customers were also impacted; however, there is currently no evidence to suggest that the encrypted databases associated with these services were exfiltrated.
GoTo has not disclosed the total number of affected users but has stated that it is actively reaching out to affected individuals to provide additional information and recommend appropriate actions to secure their accounts. To further mitigate the potential impact of this incident, the company has implemented measures such as resetting affected users’ passwords and requiring reauthorization of MFA settings. The company is also in the process of migrating these accounts to an enhanced identity management platform that aims to offer more robust security.
It is important to note that GoTo has emphasized that it does not store full credit card details and that it does not collect personal information such as dates of birth, addresses, and Social Security numbers.
This announcement follows nearly two months after both GoTo and LastPass disclosed “unusual activity within a third-party cloud storage service” that is shared by the two platforms. In December 2022, LastPass also reported that the digital burglary leveraged information stolen from an earlier breach that took place in August, enabling the attacker to steal a large amount of customer data, including a backup of their encrypted password vaults. It was reported that the stolen information was “used to target another employee, obtaining credentials and keys that were used to access and decrypt some storage volumes within the cloud-based storage service.”