- In November of 2022, GoTo faced a security incident regarding its third-party cloud storage service which is shared by both GoTo and its subbrand LastPass.
- In the incident, a threat actor stole encrypted backups from a third-party cloud storage service associated with some of GoTo’s products.
- GoTo reminds its clients that the company does not store payment details, and collects or uses end-user personal information like date of birth or social security numbers.
GoTo, the owner of the password manager distributed in a subscription form LastPass, has published an update on the November 2022 security incident in which customers’ vault data was stolen. As of January 23, 2023, GoTo’s investigation reveals that a threat actor stole encrypted backups from a third-party cloud storage service related to Central, Pro, join.me, Hamachi, and RemotelyAnywhere products.
Some data is still protected
According to LastPass, the threat actor copied backup data containing basic customer accounts information such as business names, user names, billing addresses, email addresses, contact information, and the IP addresses from which clients were accessing their service.
At this time, LastPass has found no evidence of exfiltration affecting any other GoTo products except the ones mentioned above. LastPass announced that it will reset the passwords of affected users and/or reauthorize MFA settings as a precaution.
« The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted. »
LastPass reminds its users that the master password is never revealed to LastPass and is never stored or maintained by it. LastPass also adds that GoTo does not collect or use end-user personal information, such as date of birth, home address, or Social Security numbers.