Last week, GoTo (the parent company of LastPass, which has been the victim of some recent horrendous security breaches itself) announced it had also been hacked.
Here’s part of what GoTo said:
Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
Urk. That’s bad. Losing backups is arguably as bad as losing your password vaults. But hey, good to know the backups were encrypted…
We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.
Oh. So when you said the backups were encrypted, you actually meant that they were encrypted but they could be unencrypted with ease?
To say the backups were encrypted is a bit like trying to argue that a locked box is locked, if the key to the locked box is stolen at the same time as the box.
The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.
GoTo has apparently been forcing password resets on affected accounts and reauthorising MFA settings “out of an abundance of caution.”
Apparently the breach occurred at a third-party cloud storage service, which GoTo and the beleagured LastPass both use.
Although, no doubt, there will be questions as to whether GoTo had adequately configured the security of the cloud-based storage for its backups, there are perhaps even more questions to ask regarding how careful it was being with the encryption key for those backups.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.