News just in. LastPass’ parent company, GoTo, has revealed malicious actors stole encrypted customer information – and, more troublingly, a decryption key – in a November 2022 attack.
While you might not have heard of GoTo, your company will probably use at least one of its digital tools. There’s the communications platform Central, the online meetings app Join.me, the VPN service Hamachi, the remote access tool Remote Anywhere and, of course, its password manager LastPass.
Read on to discover how this breach happened, why the company is only announcing it now, and what you need to do if you’re a GoTo customer.
The backstory to the GoTo breach
If you’re a regular Polymer blog reader, you’ll know that this isn’t the first time LastPass has hit the headlines for a data breach. In fact, it’s the third. You might say that LastPass has had a string of bad luck but, actually, all these breaches are interlinked.
Back in August 2022, attackers managed to break into LastPass’ development environment, where they stole company source code and some proprietary technical information. The breach was the ground-zero for the following two incidents.
Armed with the information they stole in August, the attackers crafted a spear-phishing campaign targeting a LastPass employee. The exploit was successful, enabling the hackers to obtain credentials and keys for LastPass and GoTo’s shared cloud-based storage in November.
And that leads us to this breach. Now, you might be wondering why GoTo is only sharing news about the incident two months later. Well, on November 30th, both GoTo and LastPass confirmed that an unauthorized entity gained access to a third-party cloud service used by both companies.
The blog stated that GoTo had: “detected unusual activity within the development environment and third-party cloud storage service.” It also explained that the companies had launched a joint investigation with law enforcement and security specialists.
It appears that, finally, the results of these investigations are in – and GoTo customers have much more to worry about than the initial blog post suggested.
What happened in the GoTo breach
In its updated statement on the incident, GoTo shared that hackers managed to exfiltrate sensitive customer information relating to several of its solutions: Central, Join.Me, Hamachi and more.
As the update states, “Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.”
The update goes on to state that the impacted information includes usernames, salted and hashed passwords, multi-factor authentication (MFA) settings and some proprietary information.
Notably, while this information was stolen in encrypted form, the fact that the hackers also stole encryption keys means they could potentially decode the data and use it for all sorts of attacks: spear phishing, credentials compromise and business email compromise, but to name a few.
We’re especially concerned about the theft of the abstractly named ‘multi-factor authentication settings’. If this data links to phone numbers used for MFA codes, organizations could find themselves in a lot of trouble. Hackers could potentially use this information to bypass MFA authentication measures and break into customers’ online accounts.
In an attempt at positive PR spin, GoTo is focusing on the fact that the data didn’t include credit card details or personal information like social security numbers. But make no mistake, this is a huge breach – especially when we consider that, in the corresponding LastPass breach, attackers managed to steal encrypted password information, customer names, email addresses and more, as LastPass shared in December.
While, on its own, the individual data sets hackers managed to exfiltrate probably couldn’t be used in a successful attack, when you put it altogether, you can quickly see how attackers could use this information for highly-targeted, stealthy malicious activities.
What should GoTo customers do?
GoTo hasn’t shared how many customers are impacted by the breach. Instead, it plans to contact those affected directly with recommended next steps. It also shared that it plans to “reset the passwords of affected users and/or reauthorize MFA settings where applicable.”
While this is a good starting point, we also recommend GoTo customers be proactive and do the following:
- Change all passwords for GoTo services: If you use LastPass or any other GoTo services, change your passwords immediately across all accounts.
- Reset in-app MFA code sequences: This will prevent attackers from misusing any stolen multi-factor authentication settings related to your company.
- Change your backup codes if necessary: Invalidate older codes and regenerate new backups as a point of urgency.
- Move to app-based 2FA instead of SMS: Resetting app-based MFA sequences is much quicker, easier and more feasible than asking your employees to change their phone number, so move to app-based 2FA as soon as you can.
Want to learn more about protecting your cloud apps from malicious attacks? Read our guide to the 5 common SaaS security mistakes organizations make.