LastPass’s parent company, GoTo, said more about the damage caused to the password manager, affected by several major leaks. Incidentally, the company revealed that several other of its services had also been affected.
The LastPass soap opera got a new twist this week. Boston-based GoTo released a few days ago its ” response to a recent security incident. More specifically, the parent company of LastPass returned to the hacking suffered by the manager in November which, it should be remembered, was the second of the calendar year. This had, moreover, at the end of 2022, aroused strong criticism from its competitors, but not only!
A hacked service that hid… four others!
Regarding the November breach, GoTo CEO Paddy Srinivasan confirmed that hackers did exfiltrate backups, data that was stored in the cloud, from a service itself linked to other products.
The boss of GoTo specifies that the Hamachi VPN server, the videoconferencing service Join.me, the software dedicated to Central businesses and the RemotelyAnywhere remote access solution were also affected. The attackers were indeed able to recover a certain amount of data related to this software.
The hackers managed to obtain a key to decrypt part of the backups. Among the exfiltrated data, GoTo evokes usernames or even hashed and salted passwords. Small precision, do not confuse an encrypted password (which therefore assumes that there is a way to decrypt it) with a salted and hashed password, which will be transformed, to which we will add characters and which will not works only one way (in other words, which is much more secure than a simply encrypted password).
Application policy data and licensing information were also stolen. While not stolen by the hackers, the Rescue and GoToMyPC databases were nonetheless impacted, with the potential theft of some Multi-Invoice Authentication (MFA) settings.
GoTo is active to reassure its customers and users
GoTo claims to be gradually contacting all of its customers and users, to give them some useful recommendations for better securing their account. All users affected by the November leak have had their passwords (even if salted and hashed) reset. GoTo evokes here the choice of the ” caution “.
The various affected services have since been migrated to a more secure platform, which includes user accounts. The company adds that the infrastructure ” will provide additional security, with more robust authentication and login-based security options “.
And to reassure the most worried, and while the investigation into this breach continues, GoTo reminded that it does not store the full bank details of its users, nor the personal information that would allow them to be identified, such as the date of birth, mailing address or social security number.
Source : GoTo
4