GoTo Says Hackers Stole Customer Data and Encryption Keys

GoTo, formerly LogMeIn Inc., has acknowledged that a threat actor stole an encryption key that gave access to a portion of the backup files that were encrypted. Information about certain customers was stolen from a third-party cloud storage service that LastPass and parent GoTo shared.

GoTo offers a platform for cloud-based remote working, collaboration, and communication, in addition to solutions for remote IT management and technical support.

The company revealed a security flaw in its development environment and a cloud storage service used by both it and its subsidiary, LastPass, in November 2022.

The company’s investigation into the incident, with assistance from cybersecurity company Mandiant, had barely started, thus the impact on the client data wasn’t yet known. The issue had a major impact on GoTo’s customers, according to the internal inquiry so far.

The assault affected backups related to the Central and Pro product tiers kept in a third-party cloud storage facility, according to a GoTo’s security incident notification.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility,” reads the notice to customers.

“In addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups.”  GoTo.

The backups that were exfiltrated contained the following data:

• Central and Pro account usernames
• Central and Pro account passwords (salted and hashed)
• Deployment and provisioning information
• One-to-Many scripts (Central only)
• Multi-factor authentication information
• Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers.

“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information,” wrote GoTo CEO Paddy Srinivasan. 

“In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”

GoTo is changing Central and Pro passwords for impacted customers in response to the issue, and accounts are immediately switched over to GoTo’s improved Identity Management Platform.

Additional security measures offered by this platform make unwanted account access or takeover considerably more difficult.

According to a GoTo update on the incident, the company is reaching out to affected customers individually to provide additional information and advice on how they may improve the security of their accounts.

As stated by the company, man-in-the-middle assaults cannot have any impact on customers because TLS 1.2 encryption and peer-to-peer technologies are used to avoid eavesdropping.  The company also notes that it still has no proof that the intruders ever gained access to its production systems.

Srinivasan expressed assurance that customers remain secure as the data was salted and hashed. Nevertheless, he has determined that it is best to change the MGA settings and/or reset the passwords for the affected users.

Network Security Checklist – Download Free E-Book