Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Breaches

GoTo Says Hackers Stole Encrypted Backups, MFA Settings

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Hackers Stole Encrypted Backups, MFA Settings from GoTo, LastPass

IT management software firm GoTo on Tuesday said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach that also affected its LastPass affiliate.

GoTo chief executive Paddy Srinivasan confirmed the security breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.

In a notice posted online, Srinivasan the encrypted backups were related to multiple GoTo-owned software products:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere

We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. 

In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

Srinivasan said the company has no evidence of exfiltration affecting any other GoTo products or any of GoTo’s production systems.

Even though all account passwords were salted and hashed in accordance with best practices, Srinivasan said GoTo plans to reset the passwords of affected users and/or reauthorize MFA settings where applicable. 

“In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” the GoTo CEO said. 

In August last year, GoTo affiliate LastPass disclosed a data breach that included the theft of source code and proprietary technical information.  In November, GoTo said it was also affected by that hack, which is linked to an unnamed third-party cloud security vendor.

In a worrisome update in late December, the password management outfit admitted the hackers behind the August breach stole a massive stash of customer data, including password vault data that could be exposed by brute-forcing or guessing master passwords.

LastPass said the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.  

In addition, the unidentified actor was also able to copy a backup of customer vault data from an encrypted storage container.

The exposed container contained both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

Related: LastPass Says Password Vault Data Hijacked in Data Breach

Related: LastPass Source Code Stolen in Data Breach

Related: GoTo, LastPass Notify Customers of New Data Breach Related to Previous Incident

Related: LastPass Found No Code Injection Attempts Following August Data Breach

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment

Expert Insights

Related Content

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Data Breaches

Companies affected by the recent Mailchimp data breach have started notifying customers. The list includes WooCommerce, FanDuel, Yuga Labs and the Solana Foundation.

Incident Response

Cygnvs emerges from stealth mode with an incident response platform and $55 million in Series A funding.

Funding/M&A

Thoma Bravo will spend $1.3 billion to acquire Canadian software firm Magnet Forensics, expanding a push into the lucrative cybersecurity business.

Incident Response

A new Mississippi Cyber Unit will be the state’s centralized cybersecurity threat information, mitigation and incident reporting and response center.

Data Breaches

T-Mobile disclosed another massive data breach affecting approximately 37 million customer accounts.

Data Breaches

A ransomware attack on Yum Bands forced the parent company of KFC and Taco Bell to close hundreds of restaurants in the United Kingdom

Data Breaches

Zacks Investment Research is informing 820,000 individuals that their personal data was compromised in a data breach.