LastPass issued a security update just before Christmas, advising customers that the previously disclosed breach was worse than it had previously announced. The news dropped late on the Thursday before Christmas, at a time when LastPass customers were hardly in a position to worry about the integrity of their passwords. Now, about a month later, LastPass parent company GoTo announced that the November security breach was even worse than we thought.
Hackers didn’t just steal encrypted passwords from LastPass consumers. They also downloaded encrypted backups from various GoTo products, putting the security of GoTo customers at risk.
LastPass first disclosed the security breach in August 2022, expanding on the matter in November. The hackers weaponized information from the August hack to steal LastPass data in November. LastPass disclosed the turn of events on the Thursday before Christmas. LastPass parent company GoTo also posted a notice about the security incident in November.
On Tuesday, GoTo CEO Paddy Srinivasan updated the announcement, detailing the massive breach that impacted other GoTo services.
“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere,” the blog post reads.
Moreover, the hackers downloaded an encryption key for a portion of the encrypted backups.
“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information,” Srinivasan said about the GoTo security breach. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
GoTo is already contacting impacted customers with additional information and recommendations to secure their accounts. Out of an abundance of caution, GoTo will reset all passwords and reauthorize MFA settings. Furthermore, the company is migrating customer accounts onto an enhanced Identity Management Platform. This should provide additional security, “more robust authentication and login-based security options.”
On a positive note, GoTo notes that it doesn’t store credit card or bank details. Also, it doesn’t collect personal information like dates of birth, home addresses, or Social Security numbers.
Still, it’s unclear how many GoTo customers are affected. Per TechCrunch, GoTo has 800,000 customers, including enterprises.
If you’re a LastPass user or you use other GoTo products, you should ensure that your accounts are safe and your data is secure. Furthermore, if you still haven’t changed the passwords you stored in LastPass, you should do so as soon as you can. The hackers might never breach your encrypted passwords, but it’s better to be safe than sorry.