facepalm: After LastPass was compromised, unknown hackers were able to break into the servers of other services offered by LastPass’ parent company GoTo. The new post from the CEO explains the true extent of the security incident, but doesn’t offer any real fixes for their customers.
GoTo, the company formerly known as LogMeIn, which acquired LastPass in 2021, has released a new security breach statement it encountered back in August 2022. According to GoTo CEO Paddy Srinivasan, after the LasPass servers were hacked, unknown cybercriminals were able to continue to compromise GoTo’s entire portfolio of services and products.
An ongoing investigation into the LastPass hack found that “an attacker stole encrypted backups from a third-party cloud storage.” Srinivasan wrote. The aforementioned cloud service hosted data for the following GoTo product: Central business communication tools, join.me online meeting services, Hamachi VPN services, and RemotelyAnywhere remote access tools.
In addition, black hat hackers were able to obtain an encryption key with which they could decrypt a “part” of the stolen encrypted backups. The data affected, according to Srinivasan, varies by product and “may include” account usernames, salted and hashed passwords, some multi-factor authentication (MFA) settings, and some product settings and licensing information.
GoTo’s CEO stated that the company does not store or collect complete credit card data, banking details, or end-user personal information such as dates of birth, home addresses, or social security numbers on its servers. LastPass, on the other hand, collected and stored “company names, end user names, billing addresses, email addresses, phone numbers, and IP addresses” of its customers prior to being hacked.
Currently, GoTo only provides “recommendations” to affected users. The company continues to contact each client directly to “provide additional information and recommend actionable steps to further protect their accounts.”
All account passwords have been salted and hashed according to best practice, according to GoTo. As a precautionary measure, GoTo is also going to “reset affected users’ passwords and/or re-authorize MFA settings, where applicable.” User accounts will be migrated to an advanced identity management platform to provide additional security through stronger authentication mechanisms.
GoTo has 800,000 corporate and private users, but the company still refuses to disclose how many were affected by the LastPass hack.