GoTo revealed that threat actors stole customers’ backups and encryption key for some of them

GoTo is notifying customers that its development environment was breached in November 2022, attackers stole customers’ backups and encryption key.

GoTo, formerly LogMeIn Inc, is a flexible-work provider of software as a service (SaaS) and cloud-based remote work tools for collaboration and IT management,

The company is warning customers that threat actors breached its development environment in November 2022 and stole encrypted backups and an encryption key.

“Upon learning of the incident, we immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.” reads the data breach notification.

The security breach was disclosed in November 2022, but at the time the company was not able to determine the impact on its customers’ data. Now the investigation revaled that threat actors were able to access customers’ data.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups.” reads an update provided by the company.

The attackers were able to steal encrypted backups related to Central and Pro products from a third-party cloud storage service.

“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.” continues the notice.

GoTo is resetting Central and Pro passwords for impacted customers and/or reauthorizing MFA settings where applicable. The company is also migrating the accounts onto an enhanced Identity Management Platform in response to the incident.

GoTo pointed out that it does not store full credit card or bank details. The company also added that it does not collect or use end user personal information, such as date of birth, home address, or Social Security numbers.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, GoTo)

[adrotate banner=”5″]

[adrotate banner=”13″]