LastPass’ mother or father firm GoTo — previously LogMeIn — has confirmed that cybercriminals stole prospects’ encrypted backups throughout a current breach of its techniques.
The breach was first confirmed by LastPass on November 30. On the time, LastPass chief govt Karim Toubba stated an “unauthorized social gathering” had gained entry to some prospects’ info saved in a third-party cloud service shared by LastPass and GoTo. The attackers used info stolen from an earlier breach of LastPass techniques in August to additional compromise the businesses’ shared cloud knowledge. GoTo, which purchased LastPass in 2015, stated on the time that it was investigating the incident.
Now, nearly two months later, GoTo stated in an up to date assertion that the cyberattack impacted a number of of its merchandise, together with: enterprise communications device Central; on-line conferences service Be part of.me; hosted VPN service Hamachi, and its Remotely Anyplace distant entry device.
GoTo stated the intruders exfiltrated prospects’ encrypted backups from these providers — in addition to the corporate’s encryption key for securing the info.
“The affected info, which varies by product, might embody account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, in addition to some product settings and licensing info,” stated GoTo CEO Paddy Srinivasan. “As well as, whereas Rescue and GoToMyPC encrypted databases weren’t exfiltrated, MFA settings of a small subset of their prospects had been impacted.”
Regardless of the delay, GoTo offered no remediation steering or recommendation for affected prospects.
GoTo, which in November lower 12% of its workforce, stated the corporate doesn’t retailer prospects’ bank card or financial institution particulars, or acquire private info, akin to date of start, residence tackle, or Social Safety numbers. That’s in sharp distinction to the hack affecting its subsidiary, LastPass, throughout which attackers stole the contents of consumers’ encrypted password vaults, together with prospects’ names, electronic mail addresses, cellphone numbers, and a few billing info.
GoTo didn’t say what number of prospects are affected. GoTo has greater than 65 million prospects, in keeping with its final earnings report. GoTo spokesperson Nikolett Bacso-Albaum has repeatedly declined to remark or reply to TechCrunch’s questions.
Srinivasan says GoTo is contacting affected prospects instantly, and is advising these impacted to reset passwords and reauthorize MFA settings “out of an abundance of warning.”