LastPass security breach keeps getting worse, admits parent company

Facepalm: After compromising LastPass, unknown hackers were able to breach the servers of other services offered by LastPass parent company GoTo. A new message from the CEO explains the true extent of the security incident but offers no actual remediation to its customers.

GoTo, the company formerly know as LogMeIn that acquired LastPass in 2021, released a new statement regarding the security breach it experienced back in August 2022. According to GoTo CEO Paddy Srinivasan, after breaching LasPass servers, the unknown cyber-criminals were able to further compromise GoTo’s entire portfolio of services and products.

The ongoing investigation into the LastPass breach determined “a threat actor exfiltrated encrypted backups from a third-party cloud storage service,” Srinivasan wrote. The aforementioned cloud service was hosting data for the following GoTo product: business communication tool Central, online meeting service join.me, VPN service Hamachi, and remote access tool RemotelyAnywhere.

Furthermore, the black hat hackers were able to obtain an encryption key with which they could have decrypted “a portion” of the stolen encrypted backups. The affected data, Srinivasan said, varies by product and “may include” account usernames, salted and hashed passwords, a portion of the multi-factor authentication (MFA) settings, as well as some product settings and licensing information.

GoTo’s CEO said the company does not store or collect full credit card, bank details or end user personal information such as birth dates, home addresses, or Social Security numbers on its servers. LastPass, on the other hand, was collecting and storing “company names, end-user names, billing addresses, email addresses, telephone numbers, and IP addresses” of its customers before the breach.

Currently, GoTo is only providing “recommendations” to affected users. The company is still contacting each customer directly to “provide additional information and recommend actionable steps for them to take to further secure their accounts.”

All account passwords were salted and hashed in accordance with best practices, GoTo said. Out of an abundance of caution, GoTo is also going to “reset the passwords of affected users and/or reauthorize MFA settings where applicable.” User accounts will be migrated to an enhanced Identity Management Platform, to provide additional security with more robust authentication mechanisms.

GoTo has 800,000 enterprise and private users, but the company is still refusing to disclose how many of them were affected by the LastPass breach.