Remote access outfit GoTo has admitted that a threat actor exfiltrated an encryption key that allowed access to “a portion” of encrypted backup files.
A third-party cloud storage service GoTo uses for its own products and affiliate biz LastPass was attacked in August 2022. GoTo and LastPass revealed the incident in separate notifications that The Register covered after the companies ‘fessed up in November 2022.
LastPass later admitted that some of its source code was accessed, data stored in the cloud decrypted, and files containing customers’ passwords copied. Thankfully those files were well encrypted, so customer data was likely not at risk unless they practiced poor password hygiene.
Now GoTo has offered more information on the attack, revealing the attacker “exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.”
“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.”
Thankfully the data was, again, decently protected.
“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information,” wrote GoTo CEO Paddy Srinivasan. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
As the data was salted and hashed, Srinivasan expressed confidence that customers are safe.
He’s nonetheless decided it’s best to reset the