GoTo, the parent company of the online password manager LastPass, has confirmed that the cyberattack suffered in november has settled with theft of encrypted backups from some of the clients of services like Hamachi and Remotely Anywhere.
GoTo has updated the information about the cyberattack it suffered in November, when they detected unusual activity within your development environment y your third-party storage service,which it shares with LastPass.
Now it has indicated that said security incident affected several of its products, including the business communications tool Central, online meeting service Join.me, the hosted VPN service Hamachi and its remote access tool Remotely Anywhere.
Specifically, the attacker extracted the encrypted backup copies of the clients of these services, as stated in an update on its website. In addition, GoTo has explained that an encryption key for a part of the encrypted backups was also stolen during the attack.
In this sense, the CEO of GoTo, Paddy Srinivasan, has indicated that the affected information may vary depending on the product. However, it includes account usernames; salted and hashed passwords (a password protection system); a part of multi-factor authentication (MFA) setup, which adds a layer of protection to the login process; as well as some product settings and licensing information.
In addition, it has also detailed that, although the encrypted databases of the Rescue and GoToMyPC services have not been leaked, the MFA configuration of “a small subset” of its customers has been affected.
At the moment, these are the services that have had customers affected by the cyberattack, “we are not aware that the leak has affected other GoTo products other than those mentioned above,” stated Srinivasan.
In this regard, the company has indicated that they are directly contacting affected customers and providing them with measures to “better protect your accounts”. Also, GoTo has informed that they are resetting the passwords of the affected users and that they will re-authorize the MFA configuration “when appropriate”.
Another of the measures that they have communicated has been migrate customer accounts to an “enhanced” Identity Management Platform,In this way, GoTo tries to offer additional security by including “stronger” authentication options.
Finally, GoTo has reminded that it never stores full credit card or other bank data, nor does it collect personal information from end users such as date of birth or social security number.
LASTPASS SECURITY INCIDENT
GoTo affiliate LastPass also reported a security incident involving the third-party cloud storage service in August. The attack used a compromised user account that made it easy to access and obtain “portions of the source code and certain proprietary technical information of LastPass.”
Subsequently, in December the company reported the initiation of an investigation together with the security firm Mandiant after detecting unusual activity on the part of a third party, which would have taken advantage of the information stolen in the breach confirmed in August. However, they claimed that users’ personal information had not been compromised.
Weeks later, LastPass posted an update admitting that the attacker did take advantage of that security breach to steal part of your code and technical information y access saved information in your cloud storage service, even making an existing backup in the cloud.