GoTo Says Hackers Stole Customers' Backups and Encryption Key

GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data. From a report: GoTo provides a platform for cloud-based remote working, collaboration, and communication, as well as remote IT management and technical support solutions. In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass. At the time, the impact on the client data had yet to become known as the company's investigation into the incident with the help of cybersecurity firm Mandiant had just begun.

The internal investigation so far has revealed that the incident had a significant impact on GoTo's customers. According to a GoTo's security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility. "Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility," reads the notice to customers.

Re:Hello lazy people: here's your lesson for the d

[drinkypoo]

My brain doesn't want to store passwords. Maybe there's something wrong with it, but that doesn't mean I don't deserve to use computing resources. Your ableism is typical and tedious.

Re:

[DarkRookie2]

You can, just keep it local and off the web.

Re:

[drinkypoo]

Why did they even HAVE the keys necessary to decrypt users' passwords? The user should be the only one with the master password. The problem isn't storing your passwords somewhere else, it's the other part.

Re:Hello lazy people: here's your lesson for the d

[vux984]

"Why did they even HAVE the keys necessary to decrypt users' passwords?"

They DON'T.
Let me repeat that for you THEY DON'T.

This disclosure pertains to customer account information for DIFFERENT products - NOT LASTPASS.

This relates to GoTo Central an RMM tool, and GoTo Pro -- the current name of the original "LogMeIn" remote PC control service.

So for those services they had stuff like, your name, and address, the list of PCs you monitored/had access to, your various preferences, access logs for them, last time they were online, and whatever else. And that data was backed up. And those backups were encrypted. And the encryption key for the backup of that information was breached.

It's bad. But this has got nothing to do with lastpass.

Re:

[fluffernutter]

I must say, your recipe is the first recipe ever that made me want to rip my eyes out.

Re:

[converter]

Using 3 consecutive letters of your username, first name, or last name are often prohibited by password policies at organizations that actually care about security. Using part of your username as part of your password is a terrible idea on all fronts.

Re:

[drinkypoo]

For instance, the first 3 characters of your username, the first letters of the 8 first words of a poem you know, 2 digits, one more character from your username and a hash.

And a hash? I'm supposed to perform a hashing function in my head in addition to all that other crap? Jiminy. Or did you mean an octothorpe?

Re:

[battingly]

Passwords should live in your BRAIN.

If you're too lazy to bother remembering your passwords or a generic recipe to manually create different passwords for all the accounts you have, and you give your passwords to a third party to manage for you, you deserve to have your passwords stolen.

Any recipe that will allow you to remember hundreds of passwords must necessarily be easy, and if a password is simple enough to remember with an easy recipe, then it is too weak.

Re:

[gweihir]

Actually, writing them down and keeping them in you wallet _not_ together with username and what they are for is fine as well.

Re:

[ctilsie242]

1 password, maybe. However, when I have hundreds to thousands of sites, that isn't going to happen.

A GOOD password manager is a definite security boost. The trick is to know a good one from a bad one. For personal use, I'd probably just go with a cloud account, KeePass, and have a keyfile that you manually copy onto all your devices. For example, Strongbox is a good KeePass implementation on iOS, and you can just plug your phone into your Mac or PC, and copy the file to Strongbox's folder, so the keyfil

Brilliant!

[sjames]

So GoTo encrypted the backups (good) and then stored the decryption key WITH the backups (WHAT?!?)?

See also, the safe combination is on a sticky note stuck to the safe...

The house key is kept in the lock on the front door so I don't lose it!!

Re:

[drinkypoo]

So GoTo encrypted the backups (good) and then stored the decryption key WITH the backups (WHAT?!?)?

Exactly. They have no business even having the decryption key. If I lose my master password or recovery file then I simply lose all the passwords I stored in my browser. I don't store my bank password there anyway, ofc, because sense. I'm already trusting my browser not to leak that because I enter it into my browser occasionally in order to log into my bank...

Re:

[EvilSS]

You are confused, as usual. The keys they are talking about are the keys for their database backups, not for user password vaults. From TFA:

The information present in the exfiltrated backups includes the following:

Central and Pro account usernames
Central and Pro account passwords (salted and hashed)
Deployment and provisioning information
One-to-Many scripts (Central only)
Multi-factor authentication information
Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers.

The LastPass breach has already been covered and no, they did not have the keys to your password vault. This is for their other products.

Re:

[ctilsie242]

This makes my brain hurt. When I do backups, the encryption key for the backups might be kept in a few places:

* A printed out copy that goes into a waterproof case with dessicant, and that goes into a fire/burglary rated safe. This safe is separate from the tape safe, with a good combination lock on it.

* The PAM.

* A KeePass database in a VeraCrypt container which is stored in a secure, but accessible spot, with the master key stamped on a metal plate, which goes into a safe offsite. A BIP-39 24 word k

Who came up with the press release,

[newslash.formatblows]

the writers for 24? "Threat actors exfiltrated..." the data? I guess it's better than "Ooooh, we fucked up bad", but still...

So it's true what they say?

[Waffle Iron]

"Goto considered harmful"

Re:

[battingly]

If only I had mod points to give :-).

Re:

[sqopt]

Long-time lurker, first-time poster here. I would just like to say that this was excellent. Carry on.

from within??

[renegade600]

It sounds like hackers had help from within the company.

Remember?

[Ol Olsoc]

Remember many years ago, when we were told the cloud was perfectly safe?

Pepperidge Farm remembers.

Umm

[Ambigwitty]

Surprised I donâ(TM)t see this being asked, but why did they have customer data available through their development environment?

It's like coyote ugly

[TomGreenhaw]

Good luck cancelling your GoTo account. Not only does their site not work for that, they auto renew and then remind you that you agreed to a full year.