GoTo says hackers stole customers' backups and encryption key

GoTo (formerly LogMeIn) is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data.

GoTo provides a platform for cloud-based remote working, collaboration, and communication, as well as remote IT management and technical support solutions.

In November 2022, the company disclosed a security breach on its development environment and a cloud storage service used by both them and its affiliate, LastPass.

At the time, the impact on the client data had yet to become known as the company's investigation into the incident with the help of cybersecurity firm Mandiant had just begun.

The internal investigation so far has revealed that the incident had a significant impact on GoTo's customers.

According to a GoTo's security incident notification a reader shared with BleepingComputer, the attack affected backups relating to the Central and Pro product tiers stored in a third-party cloud storage facility.

"Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility," reads the notice to customers.

"In addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups." - GoTo

The information present in the exfiltrated backups includes the following:

  • Central and Pro account usernames
  • Central and Pro account passwords (salted and hashed)
  • Deployment and provisioning information
  • One-to-Many scripts (Central only)
  • Multi-factor authentication information
  • Licensing and purchasing data like emails, phone numbers, billing address, and last four digits of credit card numbers.

In response to the situation, GoTo is resetting Central and Pro passwords for impacted customers and automatically migrates accounts to GoTo's enhanced Identity Management Platform.

This platform provides additional security controls that make unauthorized account access or takeover much more challenging.

GoTo has published an update to the incident saying that it is contacting affected customers directly to offer more details and recommendations for actionable steps to increase the security of their accounts.

While the company has not shared the type of encryption used for the backups, if they used symmetrical encryption, such as AES, then it could be possible to decrypt the backups using the stolen encryption key.

The firm adds that it still has no evidence that the intruders ever got access to its production systems and says that man-in-the-middle attacks couldn't have any impact on clients because TLS 1.2 encryption and peer-to-peer technology are used to prevent eavesdropping.

GoTo's investigation into the incident is still underway, and the company promised to update customers should any important findings surface.