Additional GoTo Data Stolen in the LastPass Breach
On the blog of remote collaboration and IT software company GoTo, CEO Paddy Srinivasan writes:
Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.
If that sounds bad, it is. And if it sounds familiar, that’s because GoTo owns LastPass, and these backups stolen were part of the theft of LastPass’s password vaults (see “LastPass Shares Details of Security Breach,” 24 December 2022). GoTo says it is contacting affected customers directly to recommend actionable steps to secure their accounts, and it will reset the passwords and MFA settings of affected users. Regardless, if you use any GoTo services, especially the ones listed above, we recommend you reset your passwords, reset or enable multi-factor authentication, and verify that no extra user accounts have been added. And, frankly, consider moving to other services.
@Adam, in the article you say
I don’t recognize any of the services mentioned, other than LastPass. How would I know whether any other service I use is part of GoTo?
as matt stoller writes, we can thank private equity for that.
can’t wait until 1password gets crappified by the same robber barons — oh wait …
If you don’t recognize those names, you’re good.
Join the discussion in the TidBITS Discourse forum