LastPass owner GoTo confirms hackers stole customer data

25 Jan 2023

Image: GoTo

GoTo said the hacker may have stolen an encryption key, which could be used to unscramble some of the sensitive stolen data.

GoTo – formerly LogMeIn – has confirmed that encrypted customer data was stolen in the recent cyberattack that impacted LastPass.

The breach came when a “threat actor” accessed a third-party cloud storage service at the end of November 2022.

This is the same backup storage used by its affiliate company LastPass, which confirmed customer data was stolen last month. That breach included basic account information and encrypted data such as passwords.

Following its investigation, GoTo said the hacker stole data on customers that use its Central, Pro, join.me, Hamachi, and RemotelyAnywhere services.

The stolen data varies by product but includes usernames, salted and hashed passwords and some multi-factor authentication (MFA) settings, along with product settings and licensing information.

Similar to the stolen LastPass data, much of the more sensitive information such as passwords is encrypted. However, GoTo said the hacker may have stolen an encryption key, which could be used to unscramble some of the sensitive data.

GoTo CEO Paddy Srinivasan the company is contacting affected customers to help them take “recommend actionable steps” to keep their accounts secure. He said they will reset passwords and reauthorise MFA settings for affected users out of “an abundance of caution”.

“In addition, we are migrating their accounts onto an enhanced identity management platform, which will provide additional security with more robust authentication and login-based security options,” Srinivasan said in a blog post.

GoTo said it does not store full credit card details, bank details or personal information such as home addresses.

“We appreciate your understanding while we continue to work expeditiously to complete our investigation,” Srinivasan said.

Cyberattacks continue to be a concern for various companies, with a number of high-profile breaches already occurring in 2023.

Earlier this month, T-Mobile revealed it is investigating a data breach that impacted roughly 37m current postpaid and prepaid accounts. Royal Mail also confirmed it was temporarily unable to send items overseas after being disrupted by a “cyber incident”.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com