Data Security Incident at GoTo, the Owner of LastPass Password Manager

In a concerning turn of events, cloud-based tools provider GoTo and password manager service LastPass have both been targeted in a cyberattack. The breaches, first detected in August 2022, have raised questions about the extent of monitoring and logging in these services.

GoTo, which offers a suite of remote work, collaboration, and IT management tools, has confirmed that its production systems are not impacted by the breach. However, the attack has potentially exposed customers' usernames, salted and hashed passwords, and a portion of multifactor authentication settings. Additionally, an encryption key for a portion of the encrypted backups was exfiltrated. GoTo is currently in the process of contacting affected customers and proactively resetting passwords or MFA settings where necessary.

The breach at GoTo has affected multiple products, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere. The exact number of potentially affected customers is currently unknown.

Interestingly, both LastPass and GoTo were hit by the same point of initial intrusion. LastPass' cloud-based storage vault included encrypted passwords and usernames, as well as some unencrypted data such as websites customers access, billing information, email addresses, phone numbers, and IP addresses. The breach served as a reminder of the importance of data security, with Katell Thielemann, VP analyst at Gartner, stating that concentration risks should be prioritized, and cloud-based providers are likely to be the first targets in ongoing cyberattack campaigns.

The cyberattack on LastPass and GoTo serves as a cautionary tale. Chester Wisniewski, Field CTO of Applied Research at Sophos, emphasizes the importance of logging and monitoring in preventing subsequent compromises. He suggests that robust logging and monitoring can help detect and respond to such incidents more effectively.

The attackers targeting GoTo, who stole encrypted backups and encryption keys, were identified by the GoTo security team in collaboration with external cybersecurity experts. The single point of failure in the cyberattack on LastPass and GoTo underscores how cyberattacks can progress and become part of an ongoing campaign.

It's worth noting that GoTo does not store credit card or bank details, dates of birth, home addresses, or Social Security numbers. LastPass, on the other hand, does store some unencrypted data, making it more vulnerable to breaches.

As the investigations into these breaches continue, both companies are urging their customers to remain vigilant and to take necessary steps to secure their accounts. This includes resetting passwords, enabling multifactor authentication, and staying informed about any updates or developments.

In the wake of these incidents, it's clear that the need for robust security measures, including extensive monitoring and logging, has never been more important. As we continue to rely on cloud-based services for our work and personal lives, it's essential that these services prioritize security to protect their users' data.