Customer data, encryption key stolen in GoTo breach

Threat actors exfiltrated encrypted customer account data and an encryption key for a number of GoTo services in a breach first disclosed last November.

Remote work technology provider GoTo, formerly LogMeIn, published an update Monday to a blog post dedicated to a breach that occurred last year. At the time the breach was disclosed on Nov. 30, GoTo CEO Paddy Srinivasan wrote that the company was investigating a security incident and had "detected unusual activity within [GoTo's] development environment and third-party cloud storage service."

Srinivasan said in the update that a threat actor had "exfiltrated encrypted backups" from a third-party cloud storage service related to GoTo services Central, Pro, Join.me, Hamachi and RemotelyAnywhere. In addition, the actor stole an encryption key for a "portion" of the backups, though it's unclear what products and customer data might be at risk.

"The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information," Srinivasan wrote. "In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted."

According to the disclosure, GoTo will contact affected customers directly to provide next steps and reset their passwords and MFA settings as applicable.

Srinivasan said the company has no evidence that the breach affected GoTo production systems or any other GoTo products. However, the third-party cloud storage service, which remains unnamed, is shared by both GoTo and GoTo subsidiary LastPass, which on Nov. 30 shared a separate blog post about a similar security incident.

In that disclosure, LastPass CEO Karim Toubba said a threat actor leveraged data in the company's August security breach to "gain access to certain elements of [LastPass] customers' information."

The password management vendor shared the full scope of the November breach on Dec. 22, disclosing that a threat actor used technical data stolen from the August breach to target another LastPass employee. The actor then stole dual storage container decryption keys and a cloud storage access key, which they used to access and exfiltrate customer data from backup.

Data stolen in this second LastPass breach included personal and business customer information, as well as a backup of customer vault data; the vault included encrypted website login information such as usernames and passwords, as well as unencrypted website URLs. The scope of the LastPass breach was met with criticism by competitors and security experts.

GoTo did not say whether the breach it suffered was the same as the one experienced by LastPass. However, both disclosure posts were initially published on Nov. 30, and GoTo engaged incident response firm Mandiant in both cases.

GoTo has not responded to TechTarget Editorial's request for clarification at press time.

Alexander Culafi is a writer, journalist and podcaster based in Boston.