A GoTo hack related to the LastPass security breach was far worse than initially disclosed. The company, formerly known as LogMeIn, has revealed that attackers obtained not only encrypted backups of customer data, but also an encryption key for at least some of that data.
It’s a similar tale to the LastPass hack, which followed a similar path from low-key initial announcement to revelations that it was significantly worse than initially feared …
GoTo affiliate company LastPass announced back in August that it suffered an attack on its own systems, but said at the time that there was no no sign that user data was compromised.
That changed in December, when the company revealed that the attackers did indeed access customer data. It said at the time that passwords were safe, as only the customer held the decryption key. LastPass later went further, and admitted that far more data was obtained.
Copies of customers’ password vaults were obtained along with names, emails, billing addresses, phone numbers, and more.
The company continued to insist that customer logins were safe, but a security researcher accused it of telling “half-truths and outright lies.” Password-management rival 1Password then disputed that customer passwords were not at risk, due to weak security practices.
Back in November, GoTo said that attackers gained access to the company’s development environment, and a third-party cloud storage company used by both it and LastPass.
The announcement was a relatively low-key one, in which it appeared that only company data had been accessed, not customer data.
However, the company recently began emailing customers, advising that backups of their data had been accessed.
The information in the affected backups include your Central and Pro account usernames and salted and hashed passwords. It also includes your deployment and provisioning information, One-ToMany scripts (Central only), some Multi-Factor Authentication information, licensing and purchasing data such as user emails, phone numbers, billing addresses, and the last four digits of credit card numbers (we do not store full credit card or bank details).
GoTo also admitted that an encryption key for at least some of the data had been obtained.
In addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups.
Bleeping Computer, however, says that this may not be the full story.
While the company has not shared the type of encryption used for the backups, if they used asymmetrical encryption, such as AES, then it could be possible to decrypt the backups using the stolen encryption key.
GoTo is forcing password resets of affected accounts, but it wouldn’t seem that this would prevent access to the data already obtained by the hackers.
FTC: We use income earning auto affiliate links. More.