GoTo Breach Led To Theft Of Encrypted Backups, Possible Decrypter
The company says that encrypted backups were acquired by the attacker for the Central, Pro, join.me, Hamachi and RemotelyAnywhere products.
Virtual meetings and desktop-sharing software vendor GoTo this week informed customers that backups for five of its product lines were acquired by a malicious actor in the November breach of its third-party cloud storage service.
The attacker may have also stolen an encryption key for “a portion of the encrypted backups,” potentially enabling them to decrypt some of the customer data.
In a letter to customers posted by GoTo on its website Monday, the company said that encrypted backups were acquired by the attacker for the Central, Pro, join.me, Hamachi and RemotelyAnywhere products.
“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information,” GoTo, which was previously known as LogMeIn, said in the letter to customers.
While the initial details on the November breach had mentioned that the affected third-party cloud storage service was also shared by the LastPass password manager tool, which is a GoTo affiliate, this week’s update post does not mention LastPass among the products that saw backups and a potential decrypter stolen in the attack.
“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems,” GoTo said in the letter to customers. CRN has reached out to GoTo to confirm that LastPass was not affected.
LastPass had previously said that an attacker “was able to gain access to certain elements of our customers’ information” in connection with the November breach.
The attacker used information that was obtained in a prior breach of a LastPass cloud storage service, in August 2022, to enable the attack in November.
The prior breach in August has posed a more-serious threat to users of the password manager, with “a backup of customer vault data” among the data stolen by a threat actor during the attack. The customer vault is used to store user data including usernames and passwords.
Marco Nielsen, vice president of endpoint services at Chicago-based Barcodes Inc., said the LastPass breach was a “very scary” incident. It’s not uncommon for solution providers to use password managers such as LastPass to store important customer passwords, Nielsen said.
The idea has been that “we want to stop putting [customer passwords] in spreadsheets,” he said. “But we might have to go back to that, because that seems to be something we can control and protect. And these third parties, even though they have all of this security on the front end, they can’t protect it on the backend. It’s very sad.”