GoTo Technologies USA Inc., the parent company of password manager LastPass US LP, advised customers today that hackers have obtained encrypted backups and an encryption key to access some of them.
In a blog post to customers, GoTo said an investigation into a “security incident” in November has found that a threat actor exfiltrated encrypted backups from a third-party cloud storage service relating to the company’s Central, Pro, join.me, Hamachi and RemotelyAnywhere products. “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” the company added.
The affected information may include account usernames, salted and hashed passwords, a portion of multifactor authentication settings, and some product settings and licensing information. Although noting that databases relating to its Rescue and GoToMyPC products were not affected, GoTo advises that the MFA settings of a small number of users of those products were affected.
GoTo is directly informing affected customers and although the stolen passwords are encrypted and that it’s resetting account passwords out of caution. “At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems,” the blog post reads.
The last claim is rather odd given that in December, LastPass, which is owned by GoTo, advised customers that a hacker had copied data from backups that contained customer account information. The same hacker also stole a copy of encrypted password vaults. Forward to January and LastPass’s parent company is now posting that hackers obtained an encryption key in what looks like a similar attack.
The most recent hack of LastPass may not be related to the GoTo breach, but there is a lot of crossover in the timeline. The bigger problem is that GoTo and LastPass keep being breached. And this is a company that offers to protect customer passwords but seemingly can’t provide adequate security to prevent attackers. And it wasn’t just in the last six months.
Along with two attacks in 2022, LastPass has a history of being hacked going back to 2015, followed by security issues in 2017 and 2019. In December 2021, LastPass users reported attempted logins using their master passwords, although the attack was attributed to credential-stuffing. In January last year, LastPass admitted it had suffered an outage it first denied was caused by a bug.
“Any breach is unfortunate for all those impacted,” Javvad Malik, security awareness advocate at security awareness training company KnowBe4 Inc., told SiliconANGLE. “While in this case the data was encrypted, the fact that the decryption keys were also stolen renders the encryption worthless.”
Affected customers should treat this as a complete breach of all data and take the necessary steps to protect themselves from any fallout, Malik added. “This can include changing their passwords,” he said. “Also, be on the lookout for any phishing or social engineering scams that can be crafted using the stolen data.”