Additional GoTo Data Stolen in the LastPass Breach

On the blog of remote collaboration and IT software company GoTo, CEO Paddy Srinivasan writes:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

If that sounds bad, it is. And if it sounds familiar, that’s because GoTo owns LastPass, and these backups stolen were part of the theft of LastPass’s password vaults (see “LastPass Shares Details of Security Breach,” 24 December 2022). GoTo says it is contacting affected customers directly to recommend actionable steps to secure their accounts, and it will reset the passwords and MFA settings of affected users. Regardless, if you use any GoTo services, especially the ones listed above, we recommend you reset your passwords, reset or enable multi-factor authentication, and verify that no extra user accounts have been added. And, frankly, consider moving to other services.

Read original article