GoTo (formerly LogMeIn) has confirmed on Monday that attackers have stolen customers’ encrypted backups from a third-party cloud storage service related to its Central, Pro, join.me, Hamachi, and RemotelyAnywhere offerings. However, the attackers have also managed to grab an encryption key for a portion of the encrypted backups.
What happened?
In early December, LastPass and its affiliate GoTo made public a security incident involving the third-party cloud storage service both companies use, as well as GoTo’s development environment. Four months before that, LastPass suffered a data breach and got portions of its source code and some proprietary technical information stolen.
In late December, LastPass admitted that the attackers who gained access to the third-party cloud storage service exfiltrated users’ info and copied a backup of customer vault data.
Now GoTo disclosed that the cloud storage service compromise had more far-reaching consequences.
Given that the attackers exfiltrated the encryption key for some of the encrypted backups backups related to its Central (IT management solution for remotely managing PCs and servers), Pro (remote access and administration software), join.me (online meeting software), Hamachi (VPN application), and RemotelyAnywhere (remote control solution), they can decrypt them.
“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” GoTo CEO Paddy Srinivasan shared.
What to do?
The good news is that attackers could not have grabbed full credit card or bank details and customers’ Social Security numbers, but that will likely be cold comfort to those customers who have had their backups stolen. Nevertheless, GoTo will be in touch with them to advise them on steps they can take to further secure their accounts.
“Even though all account passwords were salted and hashed in accordance with best practices, out of an abundance of caution, we will also reset the passwords of affected users and/or reauthorize MFA settings where applicable. In addition, we are migrating their accounts onto an enhanced Identity Management Platform, which will provide additional security with more robust authentication and login-based security options,” Srinivasan added.