GoTo, the remote collaboration and IT software company that owns LastPass, has confirmed that, along with the LastPass password vaults, it also had customer data taken by attackers during a November 2022 security breach (via TechCrunch).
The company, which was formerly known as LogMeIn, is updating its blog post about the breach for the first time since November 30th, when GoTo confirmed “unusual activity” within its development environment and cloud storage service.
Many of GoTo’s enterprise products were affected, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere. GoTo CEO Paddy Srinivasan writes that a hacker “exfiltrated encrypted backups from a third-party cloud storage service” and acquired the encryption key for a portion of them — nearly two months ago. The information taken varies by product but “may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”
Encrypted databases for the more well-known GoToMyPC remote computer software and Rescue were not taken by the attackers; however, “MFA settings of a small subset of their customers were impacted.”