Customers of GoTo (previously LogMeIn) are being alerted that threat actors took encrypted backups, including user information and an encryption key for some of that data, when they infiltrated its development environment in November 2022. GoTo offers a platform for cloud-based remote working, collaboration, and communication, in addition to solutions for remote IT management and technical support.
According to the internal inquiry, the issue significantly impacted GoTo’s clients. The business revealed a security flaw in its development environment and a cloud storage service used by its subsidiary, LastPass, in November 2022. The organization’s investigation into the event, with assistance from cybersecurity company Mandiant, had barely started. Thus, the impact on the client data still needed to be discovered.
Hackers Exfiltrated The Encryption Backup
A reader sent a notification of a GoTo’s security problem, stating that the attack impacted backups related to the Central and Pro product tiers kept in a third-party cloud storage facility.
Customers are informed in the warning that “our investigation to date has established that a threat actor exfiltrated encrypted backups relating to Central and Pro from a third-party cloud storage facility.”
“We also have proof that one of the threat actors exfiltrated the encryption key for some of the encrypted data. However, we salt and hash the passwords for Central and Pro accounts as part of our security processes. The encrypted backups now have an additional degree of protection as a result.”
The following data is contained in the backups that were exfiltrated:
- Usernames for accounts in Central and Pro
- Passwords for Central and Pro accounts (salted and hashed)
- Information about deployment and provisioning
- Scripts for one-to-many (Central only)
- Information about multi-factor authentication
- Licensing and buying information such as emails, phone numbers, billing addresses, and credit card last four digits
- GoTo is changing Central and Pro passwords for impacted customers in response to the issue, and accounts are immediately switched to GoTo’s improved Identity Management Platform.
Additional security measures offered by this platform make unwanted account access or takeover considerably more difficult. According to a GoTo update on the incident, the company is reaching out to affected customers individually to provide additional information and advice on how they may improve the security of their accounts.
The organization has not disclosed the type of encryption employed for the backups. Still, if symmetrical encryption, such as AES, was employed, it could be feasible to decrypt the backups using the encryption key that was taken.
According to the company, man-in-the-middle assaults cannot affect clients because TLS 1.2 encryption and peer-to-peer technologies are used to avoid eavesdropping. The company also notes that it still needs proof that the intruders ever gained access to its production systems. The situation is still being investigated by GoTo, which is committed to informing clients of any significant results.
GoTo did not disclose the number of impacted consumers. Jen Mathews, director of public relations at GoTo, claimed that the company has 800,000 clients, including businesses, but she declined to address our other queries. When contacted by TechCrunch before publication, GoTo spokeswoman Nikolett Bacso-Albaum continuously declined to comment or address the issues raised.
GoTo is reportedly reaching out to affected customers directly and encouraging them to reset their passwords and reauthorize their MFA settings “out of an excess of caution,” according to Srinivasan.
Tips For Using Password Managers
Customers of LastPass may want to consider switching password managers due to the seriousness of the most recent data breach. These five suggestions are for safe practices when using password managers.
- Identify a new password manager.
Given LastPass’ history of security issues and the seriousness of this most recent leak, it’s more important than ever to look for an alternative.
- Make the primary password strong and memorable.
Using a lengthy, complex password is necessary to safeguard your password manager. However, picking a phrase can protect it from attacks and save you from having to jot it down on a post-it note. This is especially true of phrases that are exclusively significant to you.
- Multi-factor authentication is crucial.
Some password managers go so far as to automatically generate second-factor codes, making the login procedure even simpler. Of course, you should also use MFA to secure your password management account.
- Securely share a password.
However, it’s an extra security measure in case they unintentionally compromise the credential if you trust them enough to provide it. Many password managers allow you to exchange your credentials with another person without revealing your password to them. Be careful who you share with because there are ways to obtain them.
- Several gadgets.
Your password manager should be usable on all devices unless you use one. You shouldn’t need to continually take out one device in order to acquire the password to use on another one.
GoTo has acknowledged that hackers acquired customers’ encrypted backups during a recent system compromise. LastPass initially acknowledged the vulnerability on November 30. At that time, LastPass CEO Karim Toubba said that some user data in a third-party cloud service shared by LastPass and GoTo had been accessed by an “unauthorized entity.” The hackers further compromised the companies’ shared cloud data by using data that was taken from a previous breach of LastPass servers in August. When GoTo acquired LastPass in 2015, it announced it was looking into the situation.