GoTo, the parent company of the popular password management software LastPass, informed the public that the hackers that managed to breach its systems in August 2022 may have stolen the access credentials of several customers.
According to a blog post published yesterday, GoTo revealed that the hackers extracted its encrypted backups and somehow accessed the encryption key to obtain the sensitive data contained in the file which may include usernames, passwords, and multi-factor authentication (MFA) elements.
The affected products include Central, Pro, join.me, Hamachi, and RemotelyAnywhere. As per the company, the encrypted data from LastPass cannot be accessed in the same way as the encryption key is stored locally on the client’s registered devices and can only be used once the master password for the account has been entered.
Rescue and GoToMyPC, other products created by GoTo, were not affected either although the company acknowledged that hackers may have gotten access to the MFA settings of a small group of customers.
The firm has contacted the affected customers individually to inform them of what has happened and which steps they should take to further protect their user accounts and personal information.
GoTo also confirmed that its systems do not store sensitive information from customers such as credit card or banking details, Social Security Numbers (SSNs), or home addresses.
How Far Did Hackers Get? GoTo May Not Be Fully Aware Yet
The software company has been progressively revealing the scope and reach of the breach that took place in August 2022 and that also resulted in hackers stealing a backup of LastPass’s customer vaults.
A spokesperson from GoTo declined to make further comments about the incident to TechCrunch. However, a public relations official confirmed that the company had approximately 800,000 customers.
GoTo has not yet offered any sort of remediation or compensation to customers whose data was illegally accessed.
Despite LastPass not being among the most dramatically affected applications, the company informed its customers in December this year that hackers could attempt to use brute-force software to gain their master password.
If they accomplished this task, they would instantly get access to the encryption key of the customer’s password vault and will be able to view their usernames, passwords, credit card numbers, and other sensitive data.
Also read: List of Best Tech Stocks to Watch in 2023
LastPass told customers that they can opt to change their master passwords to a combination that follows the firm’s best practices. According to the firm, it would take years for a hacker to guess the combination if those guidelines are adopted.
Even though LastPass’s hackers did not obtain this data, they did siphon the personal data of an undisclosed number of customers including their names, e-mails, and billing addresses.
Other Cybersecurity Companies Have Been Breached Recently
GoTo’s systems are not the only ones that have been targeted by hackers lately as Norton LifeLock informed earlier this month that the accounts of over 6,000 customers were illegally accessed by bad actors using brute-force software.
One of Norton’s most popular product is a password management solution that is similar to LastPass. Even though an additional access key is required to view the passwords contained in a Norton LifeLock account, if the user opted to use the same combination for both modules, hackers would successfully access all of their login credentials.
Norton’s breach took place on 1 December but it was only two weeks after that its IT team identified the incident. Surprisingly, hackers used one of the oldest tricks in the book to access these accounts – trying different passwords over and over again until they guessed the right one.
It was a bit shocking to know that Norton did not have any safeguards in place to prevent this. Typically, users are prompted to wait some time after performing various attempts to unsuccessfully access their accounts.
Other Related Articles: