If a locked filing cabinet is stolen along with its key, can you still say it’s locked? GoTo thinks you can

Graham Cluley
Graham Cluley
@
@[email protected]
@gcluley

If a locked filing cabinet is stolen along with its key, can you say it's still locked? GoTo thinks you can

Last week, GoTo (the parent company of LastPass, which has been the victim of some recent horrendous security breaches itself) announced it had also been hacked.

Here’s part of what GoTo said:

Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.

Urk. That’s bad. Losing backups is arguably as bad as losing your password vaults. But hey, good to know the backups were encrypted…

We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.

Oh. So when you said the backups were encrypted, you actually meant that they were encrypted but they could be unencrypted with ease?

To say the backups were encrypted is a bit like trying to argue that a locked box is locked, if the key to the locked box is stolen at the same time as the box.

The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

GoTo has apparently been forcing password resets on affected accounts and reauthorising MFA settings “out of an abundance of caution.”

Sign up to our free newsletter.
Security news, advice, and tips.

Apparently the breach occurred at a third-party cloud storage service, which GoTo and the beleagured LastPass both use.

Although, no doubt, there will be questions as to whether GoTo had adequately configured the security of the cloud-based storage for its backups, there are perhaps even more questions to ask regarding how careful it was being with the encryption key for those backups.


Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.