If you’ve been following the LastPass data breach scandal over the past few months, you could be forgiven for thinking it couldn’t get any worse. Every few weeks, the company comes out with grim news about the extent of the hack. Now, its parent company, GoTo, has revealed that it too was a victim.
In a blog post, GoTo CEO Paddy Srinivasan issued an update informing customers that products other than LastPass were compromised in the breach. GoTo services that shared a server with LastPass, such as Central, Pro, join.me, Hamachi, and RemotelyAnywhere had sensitive information stolen during the LastPass hack, including usernames, salted and hashed passwords, multi-factor authentication settings, as well as product and licensing information. Additionally, services Rescue and GoToMyPC had a small subset of their multi-factor authentication settings impacted by the breach.
Srinivasan states that affected customers are being contacted directly and that although password information was salted and hashed, GoTo is resetting their passwords out of an abundance of caution. Additionally, the company is migrating affected accounts onto an enhanced Identity Management Platform to provide additional security and authentication options at login.
The data breach in question occurred in August 2022, at the time the password manager claimed that the hack only affected LastPass source code and other technical information. However, as 2022 progressed, more details emerged. In late November, LastPass admitted that “certain elements of our customer’s information” had been stolen by the hackers. No details about what kind of information that might be was given at the time. Then, just before Christmas, the password manager dropped the news that the hackers obtained a “backup of customer vault data.”
Theft of the backup vault means that the hackers now have unlimited attempts to guess the master password of all LastPass’s customers and gain access to every bit of customer information in the vault. LastPass stated that customer data is still safe so long as users crafted a strong master password—a claim that was torn apart a few days later by LastPass competitor 1Password.
Now it seems that the issue might be far more dire than it appeared at the close of 2022, with the inclusion of stolen data from services outside LastPass. And while we hope that this is the end of the updates to this scandal, the last few months have shown that it always has the potential to grow worse than before.
Best Overall Password Manager
Enjoy comprehensive password protection on all of your devices, even when you travel.
Source: GoTo News