GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for some of that data.
GoTo provides a platform for cloud-based remote work, collaboration and communication, as well as IT management and remote technical support solutions.
In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass.
At the time, the impact to customer data was not yet known, as the company’s investigation into the incident with the help of cybersecurity firm Mandiant had just begun.
The internal investigation so far revealed that the incident had a significant impact on GoTo customers.
According to a GoTo Security Incident Notification a drive shared with BleepingComputer, the attack affected backups relating to Central and Pro product levels stored in a third-party cloud storage facility.
“Our investigation to date has determined that a malicious actor has exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility,” reads the customer advisory.
“Additionally, we have evidence that a threat actor also exfiltrated an encryption key for some of the encrypted data. However, as part of our security protocols, we are trailing and hashing account passwords. Central and Pro. This provides an extra layer of security in encrypted backups.” – Go to
Information present in exfiltrated backups includes the following:
- Central and Pro account usernames
- Central and Pro account passwords (salted and chopped)
- Deployment and provisioning information
- One-to-many scripts (Central only)
- Multi-factor authentication information
- License and purchase data such as emails, phone numbers, billing address and last four digits of credit card numbers.
In response to the situation, GoTo is resetting Central and Pro passwords for affected customers and automatically migrating accounts to GoTo’s enhanced identity management platform.
This platform provides additional security controls that make unauthorized access or account takeover much more difficult.
GoTo published a incident update saying he is contacting affected customers directly to offer more details and recommendations on steps to take to increase the security of their accounts.
Although the company did not share the type of encryption used for the backups, if it used asymmetric encryption, such as AES, it might be possible to decrypt the backups using the stolen encryption key.
The company adds that it still has no evidence that intruders ever gained access to its production systems and claims that man-in-the-middle attacks could have no impact on customers because TLS 1.2 encryption and peer-to-peer technology is used to prevent eavesdropping.
GoTo’s investigation into the incident is still ongoing, and the company has promised to notify customers if any significant findings surface.