LastPass owner GoTo reports hack of encrypted backups of other services

A major hack on LastPass in November also stole other encrypted backups from parent company GoTo’s services. This concerns data from VPN service Hamachi, meeting service Join.me and remote access tool Remotely Anywhere. Decryption keys were also stolen.

GoTo notifies customers in a blog post and contacts them separately. According to the company, GoTo Central and Pro, Join.me, Hamachi and Remotely Anywhere had “encrypted backups” stolen in an attack. Those are all products made by GoTo. It differs per service which information has been stolen. In most cases, this includes at least usernames, passwords, some of users’ multi-factor authentication settings, and customer product and license information.

Although the passwords were salted and hashed, GoTo says there are in some cases decryption keys have also been stolen. The exact impact of this and what can be decrypted with the data is not known.

The attack is said to have taken place in November 2022. That’s also when password manager LastPass, part of GoTo, was hit. There is a lot of criticism about the way GoTo handled that data breach. The company had to make new revelations more than once, which showed, for example, that passwords had been stolen and that they were less secure than expected, even though the company downplayed the situation earlier.

The attackers would the other GoTo services came in after getting into LastPass. Details about the hack are still scarce. The new leak with the other GoTo products raises further questions about the security situation at GoTo and LastPass; the fact that, in addition to passwords, decryption keys and mfa information were also stolen, suggests that much of that data was kept together or at least easily found together.

GoTo does not say how many customers were affected. Also, the company does not publicly indicate whether it can help customers. GoTo does say that passwords have been reset and that accounts will now be transferred to a new identity management platform, but it does not provide details.

Share