GoTo, the parent company of LastPass, has confirmed that hackers stole customers’ encrypted backups and encryption keys in the data breach that it first disclosed in November 2022.
The notification sent to customers says “Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility.” The encrypted backup includes key information such as usernames, passwords, Deployment and provisioning information, Multi-factor authentication information, Deployment and provisioning information, and Licensing and purchasing data like emails, phone numbers, billing addresses, and last four digits of credit card numbers.
We have no information about the type of encryption the company used for the backups. If the company used asymmetrical encryption, there is a possibility to decrypt the encrypted backup using the stolen encryption key.
When the company first disclosed the breach, it claims that hacked managed to gain access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. Now the company says that the impact of that breach was more than it initially thought. It affected several GoTo products including Central, and Join.me, Hamachi, and Remotely Anywhere.
The company didn’t confirm how many customers are affected by the breach. It has reset Central and Pro passwords for impacted customers. GoTo also automatically migrates these accounts to GoTo’s enhanced Identity Management Platform.
The investigation is still underway and the company has promised to update customers when it finds something important to share.
