GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data.
GoTo provides a platform for cloud-based remote working, collaboration, and communication, as well as remote IT management and technical support solutions.
In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass.
At the time, the impact on the client data had yet to become known as the company's investigation into the incident with the help of cybersecurity firm Mandiant had just begun.
The internal investigation so far has revealed that the incident had a significant impact on GoTo's customers.
According to a GoTo's security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.
"Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility," reads the notice to customers.
The information present in the exfiltrated backups includes the following:
- Central and Pro account usernames
- Central and Pro account passwords (salted and hashed)
- Deployment and provisioning information
- One-to-Many scripts (Central only)
- Multi-factor authentication information
- Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers.
In response to the situation, GoTo is resetting Central and Pro passwords for impacted customers and automatically migrates accounts to GoTo's enhanced Identity Management Platform.
This platform provides additional security controls that make unauthorized account access or takeover much more challenging.
GoTo has published an update to the incident saying that it is contacting affected customers directly to offer more details and recommendations for actionable steps to increase the security of their accounts.
While the company has not shared the type of encryption used for the backups, if they used symmetrical encryption, such as AES, then it could be possible to decrypt the backups using the stolen encryption key.
The firm adds that it still has no evidence that the intruders ever got access to its production systems and says that man-in-the-middle attacks couldn't have any impact on clients because TLS 1.2 encryption and peer-to-peer technology are used to prevent eavesdropping.
GoTo's investigation into the incident is still underway, and the company promised to update customers should any important findings surface.
Comments
h_b_s - 1 year ago
So, keys to the kingdom, the entire kingdom, plus all the horses, and the king's underwear.
Beyond incompetence. Beyond negligent. Possibly criminal in some jurisdictions.
These kinds of breaches is why competent data security policies should mandate long term storage be moved offline and stored off site, while the data moved to long term storage is destroyed on any live media to prevent accidental remote access. In fact, any half competent lawyer in charge of data retention and e-discovery should be demanding it.
Shplad - 1 year ago
A few years ago, I was experiencing a complex problems caused deep in my Windows installs.
Against my better judgment, I let Microsoft techs access my PC remotely on 2 different occasions. Guess which remote access tool they were using? They damaged my system to the point where it wouldn't boot If I hadn't had image backups, I would have have to reinstall everything from scratch (which is another story for another time). Supposedly, this was caused by a bug in LogMeIn.
Back on topic...I wonder if Microsoft support staff will be aware of this breach, or if it will be business as usual and they'll just keep using these tools.
Anyone want to wager that nothing was properly secured here? I guess almost every company has to be breached before they start learning their lesson, huh?
Wannabetech1 - 1 year ago
You let someone remotely into your computer? Really? Learning their lesson? You mean like those that have multiple breaches?