![]() ![]() ![]() GoTo said the company does not store customers’ credit card or bank details, or collect personal information, such as date of birth, home address, or Social Security numbers. That’s in sharp contrast to the hack affecting its subsidiary, LastPass, during which attackers stole the contents of customers’ encrypted password vaults, along with customers’ names, email addresses, phone numbers, and some billing information. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”ĭespite the delay, GoTo provided no remediation guidance or advice for affected customers. “The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” said GoTo CEO Paddy Srinivasan. GoTo said the intruders exfiltrated customers’ encrypted backups from these services - as well as the company’s encryption key for securing the data. Now, almost two months later, GoTo said in an updated statement that the cyberattack impacted several of its products, including business communications tool Central online meetings service hosted VPN service Hamachi, and its Remotely Anywhere remote access tool. GoTo, which bought LastPass in 2015, said at the time that it was investigating the incident. The attackers used information stolen from an earlier breach of LastPass systems in August to further compromise the companies’ shared cloud data. At the time, LastPass chief executive Karim Toubba said an “unauthorized party” had gained access to some customers’ information stored in a third-party cloud service shared by LastPass and GoTo. The breach was first confirmed by LastPass on November 30. “As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.LastPass’ parent company GoTo - formerly LogMeIn - has confirmed that cybercriminals stole customers’ encrypted backups during a recent breach of its systems. “These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture,” LastPass CEO Karim Toubba had said. ![]() The vaults themselves are encrypted, however, meaning the crooks will not have such an easy time reading their contents. An initial investigation determined that the hackers managed to steal customer vaults, essentially databases containing all of their passwords. LastPass first reported suffering a data breach in November 2022. The affected customers are being reached out to directly, Srinivasan confirmed. The CEO also said the company is migrating affected accounts onto an enhanced Identity Management Platform to provide additional security and more robust authentication and login-based security options. While all of the account passwords were salted and hashed “in accordance with best practices”, GoTo still reset the passwords of affected users, and had them reauthorize MFA settings, where possible. > LastPass is being sued following major cyberattack > LastPass confirms customer password vaults were stolen Check out the best business password managers today
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |