Facepalm: After compromising LastPass, unknown hackers were able to hack the servers of other services offered by the parent company LastPass GoTo. A new message from the CEO explains the true extent of the security incident, but does not offer any real fixes for its customers.
GoTo, the company formerly known as LogMeIn, which acquired LastPass in 2021, has released a new statement about a security breach it encountered back in August 2022. According to GoTo CEO Paddy Srinivasan, after the LasPass servers were hacked, unknown cybercriminals were able to continue to jeopardize the entire portfolio of GoTo services and products.
The ongoing investigation into the LastPass hack revealed that “an attacker stole encrypted backups from a third—party cloud storage,” Srinivasan wrote. The aforementioned cloud service hosted data for the following GoTo product: Central Business Communication tools, online meeting services join.me , Hamachi VPN services and RemotelyAnywhere remote access tools.
In addition, black hackers were able to obtain an encryption key with which they could decrypt a “part” of the stolen encrypted backups. According to Srinivasan, the data affected varies by product and “may include” account usernames, “salted” and hashed passwords, part of the multi-factor authentication (MFA) settings, as well as some product settings and licensing information.
The CEO of GoTo stated that the company does not store or collect complete information about credit cards, bank details or personal information of the end user, such as dates of birth, home addresses or social security numbers, on its servers. LastPass, on the other hand, collected and stored “company names, end-user names, billing addresses, email addresses, phone numbers and IP addresses” of its customers prior to the hack.
GoTo currently only provides “recommendations” to affected users. The company continues to contact each customer directly to “provide additional information and recommend effective steps to further protect their accounts.”
According to GoTo, all account passwords have been salted and hashed according to best practice. For precautionary reasons, GoTo is also going to “reset the passwords of affected users and/or re-authorize the MFA settings, where applicable.” User accounts will be migrated to an enhanced identity management platform to provide additional security through more robust authentication mechanisms.
GoTo has 800,000 corporate and private users, but the company still refuses to disclose how many of them were affected by the LastPass hack.