The data breach of the LastPass password manager keeps haunting its parent company, GoTo, and its customers.
Software and remote collaboration firm GoTo, which owns LastPass, has confirmed that during the security breach that occurred in November 2022, hackers stole some customers’ encrypted data and LastPass password vaults.
LastPass, LastPass, previously called LogMeIn, has shared new findings about the security breach that hit the company on November 30, 2022. GoTo has previously confirmed that unusual activity was noticed in its cloud storage service and development environment.
It now claims that some of its enterprise products may be impacted by the hack. This includes exposure of encrypted customer backups, which are emergency recovery data copies, for Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
Moreover, GoTo stated that this was possible because an encryption key used to secure the data for some customers was stolen in the November 2022 data breach.
How Did The Breach Occur?
The November data breach was directly caused by another breach in August, wherein an unauthorized entity gained access to customer data stored on a third-party cloud storage service shared by GoTo and LastPass.
Using the information stolen in August, attackers accessed another LastPass database in November and captured customer data. In that breach, GoTo had become the victim of a security breach in which unknown cybercriminals targeted their shared cloud-storage service.
Stolen Data Details
Earlier, the company stated that stolen data included names, billing addresses, emails, IP addresses, and phone numbers and that unencrypted credit card data wasn’t accessed.
However, now it revealed that the encrypted data of customers was exposed and product-related data including account usernames, a portion of MFA (multi-factor authentication) settings, salted/hashed passwords, and some product settings and licensing data was exposed.
According to Paddy Srinivasan, GoTo’s CEO, Rescue and GoToMyPC’s encrypted databases weren’t compromised and only a small subset of their customers’ MFA settings was impacted.
Moreover, Srinivasan claims in their blog post that there’s no evidence that any other GoTo products were impacted by the theft. GoTo didn’t reveal how many customers were affected, but the company is notifying impacted customers.