LastPass’ parent company GoTo – formerly known as LogMeIn – has confirmed that hackers stole customers’ encrypted backups during a recent breach of its systems.
The breach was first confirmed by LastPass on November 30. At the time, LastPass said that an ‘unauthorized party’ had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The hackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data.
Now, almost two months’ later, in an updated statement GoTo has said that the cyberattack has impacted several of its products, including business communications tool Central, online meetings service Join.me; hosted VPN service Hamachi and its Remotely Anywhere remote access tool.
The hackers exfiltrated customers’ encrypted backups from these services, which included the company’s encryption key for securing the data.
GoTo has said that the company does not store customers’ credit card or bank details or collect personal information, such as date of birth, home address or Social Security Numbers. This, however, is in clear contrast to the hack affecting its subsidiary LastPass. During the attack at LastPass, hackers stole the contents of customers’ encrypted password vaults, along with customers’ names, email addresses, phone numbers and some billing information.
GoTo has 800,000 customers, including enterprises but has not indicated how many customers are affected. Furthermore, despite the delay, GoTo has not provided any remediation guidance or advice for affected customers.
Does your organization make use of a program where passwords or other sensitive information is saved? It may be time to review the Information Security Policy to ensure technical and organizational measures are in place to adequately protect personal data. Contact us, the Experts in Data Privacy, at firstname.lastname@example.org for assistance.