GoTo — LastPass’s owner — has released a statement confirming that its customers’ encrypted backups were stolen by hackers during a system breach that took place last year.
On Nov. 30, GoTo CEO Paddy Srinivasan confirmed that an “unusual activity” was detected within the company’s development environment and the third-party cloud storage service it shares with LastPass. Now, two months later, Srinivasan has released another statement confirming the products that were affected in the breach.
“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere,” Srinivasan said. “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.”
GoTo also confirmed that the information affected during the breach may include “account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”
The SaaS company claimed it doesn’t store full credit card or bank details of its customers or collect personal information, such as home address, date of birth, or Social Security numbers. This may be the reason the company hasn’t provided remediation guidance or advice for customers affected by this cybersecurity incident.
However, GoTo has said that the company is “contacting affected customers directly to provide additional information and recommend actionable steps for them to take to further secure their accounts.”
The company is also executing safety measures such as reauthorizing MFA settings where applicable, resetting the passwords of affected users, and migrating their accounts onto an enhanced Identity Management Platform.