GoTo, LastPass’ parent company, has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems.
LastPass confirmed the breach for the first time on November 30. LastPass CEO Karim Toubba stated at the time that an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. To further compromise the companies’ shared cloud data, the attackers used information stolen from an earlier breach of LastPass systems in August. GoTo, which purchased LastPass in 2015, stated at the time that it was looking into the incident.
GoTo said in an updated statement almost two months later that the cyberattack impacted several of its products, including the business communications tool Central, and the online meetings service Join. me, the hosted VPN service Hamachi, and its Remotely Anywhere remote access tool.
According to GoTo, the intruders stole customers’ encrypted backups from these services, as well as the company’s encryption key used to secure the data.
“Affected information may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” GoTo CEO Paddy Srinivasan explained. “In addition, while the encrypted databases of Rescue and GoToMyPC were not exfiltrated, the MFA settings of a small subset of their customers were impacted.”
Despite the delay, GoTo did not provide affected customers with any remediation guidance or advice.
According to GoTo, the company does not store credit card or bank information for customers, nor does it collect personal information such as date of birth, home address, or Social Security numbers. This contrasts sharply with the hack affecting its subsidiary, LastPass, in which attackers stole the contents of customers’ encrypted password vaults, as well as their names, email addresses, phone numbers, and some billing information.
GoTo did not specify the number of customers affected. According to GoTo public relations director Jen Mathews, who declined to answer our other questions, the company has 800,000 customers, including enterprises. When contacted prior to publication, GoTo spokesperson Nikolett Bacso-Albaum repeatedly declined to comment or respond to TechCrunch’s questions.
According to Srinivasan, GoTo is directly contacting affected customers and advising them to reset passwords and reauthorize MFA settings “out of an abundance of caution.”