Security Key

GoTo admits hackers stole customer backups in LastPass breach

In addition to losing encrypted backups such as hashed passwords, the firm has confirmed hackers stole an encryption key relating to the data
Image: Getty via Future

25 January 2023

Communications firm GoTo has revealed that threat actors stole encrypted customer backups and sensitive product information in a November 2022 attack, which also affected subsidiary LastPass.

The firm has stated that account usernames, salted and hashed passwords, and multi-factor authentication (MFA) settings were included in the stolen information which was taken from a third party cloud storage service in the November incident. 

Although this customer backup data is encrypted, the company believes that the threat actor behind the attack also stole an encryption key for a portion of the stolen backups.




GoTo stated that the key related to a “portion” of the data, but did not elaborate on which files are vulnerable to decryption by the threat actor.

As GoTo does not store payment details, nor collect or store user addresses, dates of birth, or other such identifiable information, data of this kind was not included in the breach.

The company has also warned that backups relating to other services it runs were stolen, such as its virtual private network (VPN) product Hamachi and remote access applications Central and Pro.

GoTo subsidiary LastPass had commenced an investigation in collaboration with Mandiant following a breach in November 2022 that saw threat actors access a third party cloud storage system used by both LastPass and GoTo.

“At this time, we have no evidence of exfiltration affecting any other GoTo products other than those referenced above or any of GoTo’s production systems,” said Paddy Srinivasan, CEO at GoTo, in a blog post.

“We are contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their account.”

GoTo has stated it will provide advice for next steps for making affected accounts secure. Customers who were impacted by the breach will have passwords reset as a precautionary measure, and MFA settings reauthorised.

The firm has also committed to migrating accounts to an identity management platform, to further secure accounts against possible future action.

This is the third attack impacting GoTo and its subsidiaries in the past 12 months. In August 2022 a hacker exfiltrated LastPass source code, though Karim Toubba, CEO at the firm, denied that customer information had been impacted in this breach. 

Since then, the LastPass admitted encrypted password vaults were stolen, and that names, e-mail addresses, phone numbers and payment information. This has prompted concerns that stolen data could be used for mass phishing campaigns.

Future Publishing

Read More:

Back to Top ↑