GoTo is confronting potentially extensive damage after a threat actor exfiltrated encrypted backups and an encryption key tied to some of the stolen data.
The parent company of LastPass said a breach first detected by the password manager in August 2022 resulted in a similar, subsequent breach through same attack vector, GoTo said in a Monday blog post.
The compromise broadened the extent of damage and potentially exposed customers’ usernames, salted and hashed passwords and a portion of multifactor authentication settings.
“We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” GoTo CEO Paddy Srinivasan said in a blog post. GoTo, formerly LogMeIn, provides multiple cloud-based tools for remote work, collaboration and IT management.
The encrypted backups were lifted from a third-party cloud storage service, the same storage vault that significantly compromised password manager LastPass, leaving users’ master passwords as the sole line of defense. GoTo and LastPass share the third-party cloud storage service.
The compromise at GoTo impacts multiple products, including Central, Pro, join.me, Hamachi and RemotelyAnywhere, Srinivasan said.
The update, nearly two months after GoTo first publicly acknowledged the incident, follows a similar pattern that’s played out at LastPass. The CEOs of both companies have shared escalating warnings as their investigation progresses.
There is, however, one key difference between GoTo and LastPass. GoTo does not store credit card or bank details, dates of birth, home addresses or Social Security numbers, Srinivasan said.
LastPass’ cloud-based storage vault included encrypted passwords and usernames, and unencrypted data, such as the websites customers access via the password manager, some billing information, email addresses, phone numbers and the IP addresses customers use to access the platform.
GoTo is contacting affected customers and proactively resetting the passwords or MFA settings where applicable, Srinivasan said, but GoTo’s production systems are not impacted.
The company did not say how many customers are potentially affected by the incident.
Details of the cyberattack, which are now coming out in waves from both companies, should be seen as a cautionary tale for multiple reasons, according to Katell Thielemann, VP analyst at Gartner.
“Concentration risks should jump to the top of everyone’s list,” Thielemann said via email following the most recent update from LastPass.
“We are likely to see more attacks targeting one entity to compromise many more, and cloud-based providers are going to be the first in line,” she said.
The single point of failure, which led to subsequent losses for both companies, underscores how cyberattacks can progress and become part of an ongoing campaign.
The mounting damage at LastPass and now GoTo, both of which were hit by the same point of initial intrusion, emphasizes a lack of extensive monitoring and logging that might have prevented a subsequent compromise, according to Chester Wisniewski, field CTO of applied research at Sophos.
“It all comes back to logging and monitoring,” Wisniewski said via email. “You can’t analyze the logs you never collected.”