LastPass owner GoTo reports hack of encrypted backups of other services

Spread the love

A major hack on LastPass in November also stole other encrypted backups from parent company GoTo’s services. This concerns data from VPN service Hamachi, meeting service Join.me and remote access tool Remotely Anywhere. Decryption keys have also been stolen.

GoTo warns customers in a blog post and contact them separately. According to the company, GoTo Central and Pro, Join.me, Hamachi and Remotely Anywhere had “encrypted backups” stolen in an attack. Those are all products made by GoTo. It differs per service which information has been stolen. In most cases, this includes at least usernames, passwords, part of users’ multifactor authentication settings, and customer product and license information.

While the passwords were salted and hashed, GoTo says decryption keys were also stolen in some cases. The exact impact of this and what can be decrypted with the data is not known.

The attack is believed to have occurred in November 2022. That’s also when password manager LastPass, part of GoTo, was hit. There is a lot of criticism about the way GoTo handled that data breach. The company had to make new revelations more than once, which showed, for example, that passwords were stolen and that they were less secure than expected, even though the company downplayed the situation earlier.

The attackers allegedly entered the other GoTo services after breaking into LastPass. Details about the hack are still scarce. The new leak with the other GoTo products raises further questions about the security situation at GoTo and LastPass; the fact that, in addition to passwords, decryption keys and mfa information were also stolen, suggests that much of that data was kept together or at least could easily be found together.

GoTo is not saying how many customers are affected. Also, the company does not publicly indicate whether it can help customers. GoTo does say that passwords have been reset and that accounts will be transferred to a new identity management platform from now on, but it does not provide any details.

You might also like