Skip to content
Thoughtful, detailed coverage of everything Apple for 34 years
and the TidBITS Content Network for Apple professionals

Additional GoTo Data Stolen in the LastPass Breach

On the blog of remote collaboration and IT software company GoTo, CEO Paddy Srinivasan writes:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro,, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

If that sounds bad, it is. And if it sounds familiar, that’s because GoTo owns LastPass, and these backups stolen were part of the theft of LastPass’s password vaults (see “LastPass Shares Details of Security Breach,” 24 December 2022). GoTo says it is contacting affected customers directly to recommend actionable steps to secure their accounts, and it will reset the passwords and MFA settings of affected users. Regardless, if you use any GoTo services, especially the ones listed above, we recommend you reset your passwords, reset or enable multi-factor authentication, and verify that no extra user accounts have been added. And, frankly, consider moving to other services.

Read original article

Subscribe today so you don’t miss any TidBITS articles!

Every week you’ll get tech tips, in-depth reviews, and insightful news analysis for discerning Apple users. For over 33 years, we’ve published professional, member-supported tech journalism that makes you smarter.

Registration confirmation will be emailed to you.

This site is protected by reCAPTCHA. The Google Privacy Policy and Terms of Service apply.

Comments About Additional GoTo Data Stolen in the LastPass Breach

Notable Replies

  1. @Adam, in the article you say

    if you use any GoTo services, …

    I don’t recognize any of the services mentioned, other than LastPass. How would I know whether any other service I use is part of GoTo?

  2. as matt stoller writes, we can thank private equity for that.

    can’t wait until 1password gets crappified by the same robber barons — oh wait …

  3. If you don’t recognize those names, you’re good.

Join the discussion in the TidBITS Discourse forum


Avatar for ace Avatar for gerrie Avatar for henry.crun