GoTo, LastPass Confirm Hacker Attack On Shared Cloud-Storage Services

LastPass chief executive Karim Toubba says ‘unauthorized party’ recently gained access to some customers’ information but all passwords are safe.


GoTo, maker of the popular virtual meeting and desktop-sharing software, and its affiliate LastPass confirmed on Wednesday that their shared cloud-storage service was hit by unknown hackers.

In a post Wednesday, LastPass CEO Karim Toubba said his password-management firm recently “detected unusual activity” within its third-party cloud storage service and immediately launched an investigation, which included hiring security firm Mandiant and alerting law enforcement officials.

“We have determined that an unauthorized party, using information obtained in (a) August 2022 incident, was able to gain access to certain elements of our customers’ information,” he said. “Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture.”

Sponsored post

[RELATED STORY: LastPass Says Hackers Took ‘Portions Of Source Code’]

The name of the third-party cloud-storage servicer was not disclosed.

In a separate post Wednesday, GoTo chief executive Paddy Srinivasan made no mention of an unauthorized party gaining access to some customers’ information.

Addressing GoTo customers, Srinivasan said that his firm was “investigating a security incident” and that “we are currently working to better understand the scope of the issue.”

Like LastPass, Srinivasan said Boston-based GoTo has engaged Mandiant and informed law enforcement officials about the incident.

“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.”

Srinivasan added: “GoTo‘s products and services remain fully functional. As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity.

As for LastPass, Toubba said in his post that the investigation of the breach is ongoing.

“We are working diligently to understand the scope of the incident and identify what specific information has been accessed,” he said.

“In the meantime, we can confirm that LastPass products and services remain fully functional. As always, we recommend that you follow our best practices around setup and configuration of LastPass, which can be found here.”

It was the second security incident disclosed by LastPass this year, following an August intrusion in which the firm’s “developer environment was breached via a compromised developer account.”

Information stolen during the summer incident was used in the most recent incident, LastPass confirmed Wednesday.

In 2015, GoTo, then known as LogMeIn, acquired LastPass. Last year, GoTo announced it was planning to spin off LastPass into a separate company.

[7:08 PM] Jay Fitzgerald

A representative for GoTo referred CRN inquiries to its blog announcement. A representative for LastPass could not be reached for comment.

A GoTo spokeswoman said the company expects the LastPass spinoff to occur in 2023.