GoTo, the parent company of password management service LastPass, has revealed that hackers stole some customers’ encrypted data during a security breach in November.
The breach, which stemmed directly from one that occurred in August, allowed an “unauthorized party” to gain access to some customers’ information stored on a third-party cloud storage service shared by LastPass and parent GoTo. Company data stolen in August that was then used in November to break into another LastPass database to capture unencrypted customer data like names, email and billing addresses, phone numbers, and IP addresses. No unencrypted credit card data was exposed, the company said.
Now, GoTo says some of its other enterprise products have been affected by the hack, including the theft of encrypted customer backups — copies of data emergency recovery — for Central, Pro, join.me, Hamachi and RemotelyAnywhere. The company also said it has evidence that an encryption key used to secure the data for some of its customers was also stolen.
“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information,” GoTo CEO Paddy Srinivasan said in a blog post update Monday. “In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
Srinivasan also said the company doesn’t believe any other GoTo products were affected by the theft. GoTo didn’t indicate how many customers were affected by theft but did say it’s informing those who may have been impacted by the hack.
LastPass is designed to let people securely generate and save passwords across their devices, store digital records, and share both with trusted contacts. But in late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data.
GoTo didn’t immediately respond to a request for additional information.