Just when we thought the November LastPass hack was behind us, new information has come to light regarding the extent of the breach. LastPass’ parent company, GoTo (formerly LogMeIn), has confirmed that the threat actors of the security breach were able to steal customers’ encrypted backups during the recent data breach of its systems.
LastPass CEO Karim Toubba first confirmed the breach in November, stating that an “unauthorized party” had gained access to some customer information stored in a third-party cloud service. The attackers reportedly used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data.
Impact on GoTo’s enterprise products
The extent of the breach was much bigger than initially thought. GoTo now says that the security breach impacted several of its products, including Central, Join.me, Hamachi, and Remotely Anywhere. The company also confirmed that the attackers exfiltrated customers’ encrypted backups from these services, as well as the company’s encryption key.
GoTo CEO Paddy Srinivasan said that the information attackers stole varies by product but may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, along with some product settings and licensing information. However, the attackers did not take encrypted databases of GoToMyPC and Rescue, but the MFA settings of a small subset of customers were impacted.
In response to this breach, GoTo is directly contacting affected customers to provide additional information and support. Users will have to change their passwords and reauthorize MFA. GoTo is also migrating the affected accounts to a different Identity Management Platform with more robust authentication and login-based security options. The company assures customers it does not store their full credit card and banking details and does not collect PII, such as date of birth, address, and Social Security numbers.