LastPass owner GoTo shares more bad news about November’s security breach


The service previously often called LogMeIn has confirmed attackers made off with clients’ encrypted backups and the encryption key for a ‘portion’ of them.

Art rendering of transparent laptop in front of a wall of surveilling eyes.

a:hover]:text-gray-63 text-gray-63 darkish:[&>a:hover]:text-gray-bd darkish:text-gray-bd darkish:[&>a]:text-gray-bd [&>a]:shadow-underline-gray-63 [&>a:hover]:shadow-underline-black darkish:[&>a]:shadow-underline-gray darkish:[&>a:hover]:shadow-underline-gray”>Picture by Amelia Holowaty Krales / The Verge

GoTo, the distant collaboration and IT software program firm that owns LastPass, has confirmed that, alongside with the LastPass password vaults, it additionally had buyer information taken by attackers throughout a November 2022 safety breach (via TechCrunch).

The corporate, which was formerly known as LogMeIn, is updating its blog post about the breach for the primary time since November thirtieth, when GoTo confirmed “uncommon exercise” inside its improvement surroundings and cloud storage service.

A lot of GoTo’s enterprise merchandise have been affected, together with Central, Professional, be part, Hamachi, and RemotelyAnywhere. GoTo CEO Paddy Srinivasan writes {that a} hacker “exfiltrated encrypted backups from a third-party cloud storage service” and bought the encryption key for a portion of them — almost two months in the past. The data taken varies by product however “could embody account usernames, salted and hashed passwords, a portion of Multi-Issue Authentication (MFA) settings, in addition to some product settings and licensing info.”

Encrypted databases for the extra well-known GoToMyPC distant laptop software program and Rescue weren’t taken by the attackers; nevertheless, “MFA settings of a small subset of their clients have been impacted.”

GoTo is outwardly contacting affected clients straight to offer additional information in addition to assist for what actions to take. Passwords for his or her accounts might be reset “out of an abundance of warning,” and MFA will even be reauthorized. Srinivasan additionally wrote that affected accounts might be migrated to a unique Id Administration Platform for added safety, one with “extra sturdy authentication and login-based safety choices.”

Our first whiff of the breach was in August, when LastPass notified customers that an unauthorized get together compromised a developer account. Info taken throughout that assault was apparently utilized in November, when hackers were successful in obtaining customer vaults — a indisputable fact that was solely introduced publicly late within the day on Thursday, December twenty second, when many individuals have been getting ready to take a vacation break.

Cybersecurity specialists tore aside LastPass’ response to the leak, accusing the corporate of not being clear on the severity of the state of affairs and never admitting that it didn’t comprise the breach.

Now, Srinivasan is coping with a heavy fallout that’s solely getting worse. However the CEO is noting to clients that GoTo doesn’t retailer their full bank card and banking particulars and doesn’t accumulate PII similar to date of delivery, tackle, and Social Safety numbers. LastPass additionally performed down a separate incident in 2021 the place clients have been barraged by fixed unauthorized login makes an attempt.


Leave a Reply

Your email address will not be published. Required fields are marked *