LastPass security breach keeps getting worse, admits parent company

Facepalm: After compromising LastPass, unknown hackers had been capable of breach the servers of different companies provided by LastPass mum or dad firm GoTo. A brand new message from the CEO explains the true extent of the safety incident however presents no precise remediation to its clients.

GoTo, the corporate previously know as LogMeIn that acquired LastPass in 2021, launched a brand new assertion concerning the security breach it skilled again in August 2022. In response to GoTo CEO Paddy Srinivasan, after breaching LasPass servers, the unknown cyber-criminals had been capable of additional compromise GoTo’s complete portfolio of companies and merchandise.

The continued investigation into the LastPass breach decided “a menace actor exfiltrated encrypted backups from a third-party cloud storage service,” Srinivasan wrote. The aforementioned cloud service was internet hosting information for the next GoTo product: enterprise communication software Central, on-line assembly service be part, VPN service Hamachi, and distant entry software RemotelyAnywhere.

Moreover, the black hat hackers had been capable of get hold of an encryption key with which they may have decrypted “a portion” of the stolen encrypted backups. The affected information, Srinivasan mentioned, varies by product and “might embody” account usernames, salted and hashed passwords, a portion of the multi-factor authentication (MFA) settings, in addition to some product settings and licensing info.

GoTo’s CEO mentioned the corporate doesn’t retailer or accumulate full bank card, financial institution particulars or finish consumer private info similar to beginning dates, residence addresses, or Social Safety numbers on its servers. LastPass, however, was gathering and storing “firm names, end-user names, billing addresses, e mail addresses, phone numbers, and IP addresses” of its clients earlier than the breach.

Presently, GoTo is just offering “suggestions” to affected customers. The corporate remains to be contacting every buyer on to “present further info and suggest actionable steps for them to take to additional safe their accounts.”

All account passwords had been salted and hashed in accordance with finest practices, GoTo mentioned. Out of an abundance of warning, GoTo can be going to “reset the passwords of affected customers and/or reauthorize MFA settings the place relevant.” Consumer accounts will likely be migrated to an enhanced Identification Administration Platform, to offer further safety with extra sturdy authentication mechanisms.

GoTo has 800,000 enterprise and personal customers, however the firm remains to be refusing to reveal what number of of them had been affected by the LastPass breach.


Leave a Reply

Your email address will not be published. Required fields are marked *