GoTo might not be the average password user’s go-to for much longer now that the LastPass owner has implied that it was hacked, putting client usernames and other sensitive data into the hands of a threat actor.
If this is indeed the case, the incident is all the more awkward given GoTo subsidiary LastPass suffered a notorious breach in the run-up to Christmas.
GoTo owns a suite of tech products besides LastPass, including GoTo Webinar for online meetings and seminars, and GoToMyPC, which allows authorized remote access to computers for administrative purposes.
“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service,” said the company in a statement it updated on January 23, adding that the latter was “shared by both GoTo and its affiliate, LastPass.”
Cybersecurity watchdog Sophos said the incident “involved a development network break-in,” calling it “curiously similar” to the LastPass breach that unfolded in the second half of 2022.
It added: “We have to assume – given that the statement explicitly notes that the cloud service was shared between LastPass and GoTo while implying that the development network wasn’t – that this breach didn’t start months earlier in LastPass’s development system.
“The suggestion seems to be that, in the GoTo breach, the development network and cloud service intrusions happened at the same time, as though this was a single break-in that yielded two targets right away.”
Sophos says this stands in contrast to the LastPass incident, “where the cloud breach was a later consequence of the first.”
GoTo said its inquiry found that encrypted backups were stolen from the cloud by a threat actor as yet unidentified, leading to the exposure of account usernames and passwords, among other data.
It said: “We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information.”
Hashing and salting are processes whereby passwords are concealed, while MFA requires users to submit more than one form of identification before accessing a device or system.
“In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted,” said GoTo, adding that it had no evidence to suggest any other products in its roster had been affected.
The company added it was reaching out to affected customers and, where necessary, issuing resets for MFA and passwords despite its hashing and salting practice, “out of an abundance of caution.”
More from Cybernews:
Subscribe to our newsletter