LastPass has been under intense scrutiny over the last few months following multiple security breaches that included the theft of user data, but it wasn’t just LastPass. The password manager is owned by GoTo, the maker of products like GoToMyPC, Hamachi, and more. The parent company now confirms that it, too, was targeted in the November incident. And yes, user data from several of its products was taken by the attackers.
In a blog post, GoTo CEO Paddy Srinivasan explains that the hackers who accessed the company’s servers were able to exfiltrate encrypted backups for Central, Pro, join.me, Hamachi, and RemotelyAnywhere. That encryption might not matter very much, as Srinivasan notes that the attacker also took an encryption key for “a portion” of those backups, but he does not specify which products.
Many of the affected products are enterprise-facing, which makes them an especially juicy target. For example, Hamachi is a hosted VPN service that, if compromised, could allow an attacker to access a private LAN environment. Srinivasan says that the specific data stolen varies by product but includes things like user names, salted and hashed passwords, licensing information, and even Multi-Factor Authentication settings. Credit card and banking details were not affected.
The salted and hashed passwords should be safe in theory, but GoTo has still been forcing password resets on affected accounts. It also had some users reconfigure their multi-factor authentication settings. The company continues to reach out to customers hit by the breach with steps they should take to secure their accounts and data. Additionally, GoTo is migrating those accounts to an “enhanced Identity Management Platform” that will provide better security in hopes of thwarting any attempt to use the stolen data.
We first heard about the latest campaign against LastPass in August 2022 when someone breached its security and made off with engineering data. That information was leveraged for the second attack in November 2022, in which the perpetrators stole encrypted password vaults. This is also when the unknown parties copied data from GoTo’s products. LastPass says the password vaults are still secure thanks to its “zero knowledge” design, but some security experts have called the company out for underselling the severity of the breach. The latest disclosure, coming more than two months after the attack, certainly lends credence to that point of view.