Owner of LastPass, GoTo confirms that backups belonging to customers were stolen by hackers. The organization, which was once known as LogMeIn, has disclosed that the hackers received not only encrypted backups of user data but also an encryption key for at least some of that data.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups. The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.” Said Goto in an incident update published.

The LastPass hack followed a similar trajectory from a low-key initial announcement to revelations that it was worse than first thought. LastPass, a GoTo affiliate firm, disclosed an attack on its own servers back in August, but claimed at the time that there was no evidence that user data had been accessed. When the business acknowledged that the hackers had definitely accessed consumer data in December, this situation changed. Passwords were thought to be secure at the time since only the client had access to the decryption key.

Later, LastPass went even further and acknowledged that much more data had been collected. Customer logins were safe, the corporation continued to claim, but a security researcher accused it of spreading “half-truths and blatant lies.” Due to lax security procedures, competing password management service 1Password argued that customer passwords were not at danger. GoTo previously reported in November that hackers had acquired access to the company’s development environment as well as a third-party cloud storage provider that both it and LastPass used. The disclosure was rather low-key, and it seemed that just business data, not client data, had been obtained.

However, the business has now started sending emails to clients informing them that their data backups had been accessed. GoTo also acknowledged that at least some of the data’s encryption key had been acquired. GoTo is requiring impacted accounts to change their passwords, although it doesn’t appear that this will stop hackers from accessing the data they have already stolen.

Source

https://www.goto.com/blog/our-response-to-a-recent-security-incident

https://www.bleepingcomputer.com/news/security/goto-says-hackers-stole-customers-backups-and-encryption-key/

https://thehackernews.com/2023/01/lastpass-parent-company-goto-suffers.html

Related,

LastPass admits on password vaults been stolen