LastPass Owner GoTo Says Hackers Stole Customer Data Backups

From CNET: GoTo, the parent company of password management service LastPass, has revealed that hackers stole some customers' encrypted data during a security breach in November.

The breach, which stemmed directly from one that occurred in August, allowed an "unauthorized party" to gain access to some customers' information stored on a third-party cloud storage service shared by LastPass and parent GoTo. Company data stolen in August that was then used in November to break into another LastPass database to capture unencrypted customer data like names, email and billing addresses, phone numbers, and IP addresses. No unencrypted credit card data was exposed, the company said.

Now, GoTo says some of its other enterprise products have been affected by the hack, including the theft of encrypted customer backups -- copies of data emergency recovery -- for Central, Pro,, Hamachi and RemotelyAnywhere. The company also said it has evidence that an encryption key used to secure the data for some of its customers was also stolen.

"The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information," GoTo CEO Paddy Srinivasan said in a blog post update Monday. "In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted."

View: Full Article