LastPass, a popular password management service, has lost the trust of the tech industry after its parent company, GoTo (formerly LogMeIn), confirmed that hackers stole customers’ encrypted backups during a recent breach of its systems. The breach, which was first confirmed on November 30th, was caused by an unauthorized party gaining access to customer information stored in a third-party cloud service shared by LastPass and GoTo. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data.
GoTo, which purchased LastPass in 2015, initially said that it was investigating the incident. However, almost two months later, GoTo provided an updated statement confirming that the cyberattack had impacted several of its products, including: business communications tool Central; online meetings service Join.me; Remote device access tool Pro; hosted VPN service Hamachi, and its Remotely Anywhere remote access tool. The company also confirmed that the intruders had exfiltrated customers’ encrypted backups from these services, along with the company’s encryption key for securing the data.
According to GoTo CEO Paddy Srinivasan, “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information.” The company also stated that while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.
Despite the delay, GoTo provided no remediation guidance or advice for affected customers. This is a major disappointment for customers who were expecting the company to take responsibility for the breach and provide clear instructions on how to protect their data.
GoTo stated that the company does not store customers’ credit card or bank details, or collect personal information, such as date of birth, home address, or Social Security numbers. This is in sharp contrast to the hack affecting its subsidiary, LastPass, during which attackers stole the contents of customers’ encrypted password vaults, along with customers’ names, email addresses, phone numbers, and some billing information.
GoTo did not say how many customers are affected. The company has 800,000 customers, including enterprises, according to GoTo public relations director Jen Mathews, who declined to answer other questions. GoTo spokesperson Nikolett Bacso-Albaum also repeatedly declined to comment or respond to TechCrunch’s questions when reached prior to publication.
The breach at LastPass has raised serious concerns about the company’s ability to protect customer data and maintain the trust of the tech industry. The lack of remediation guidance or advice for affected customers is a major disappointment, and it remains to be seen how the company will regain the trust of its customers. GoTo CEO Paddy Srinivasan says the company is contacting affected customers directly and advising them to reset passwords and reauthorize MFA settings “out of an abundance of caution.” However, this may not be enough to restore the trust that has been lost.