Sedara Security Bulletin: GoTo and LastPass Security Incidents

Summary:

GoTo, formerly known as LogMeIn and the parent company of LastPass, released a security advisory about a malicious actor stealing encrypted backups for several
GoTo products:

• Central
• Pro
• Join.me
• Hamachi
• RemotelyAnywhere

The malicious actors also stole an encryption key for a portion of those backups. Affected information may include account usernames, salted and hashed passwords, MFA settings, product settings, and licensing information. This incident is in addition to the previously disclosed incident affecting LastPass where a malicious actor stole backups of customer vault data.

History:

GoTo and LastPass have released escalating security advisories over the past several months:

•  August 25, 2022 – LastPass announces that a malicious actor stole source code and other technical information
• September 15, 2022 – LastPass announces a conclusion to the August investigation and says no further information was stolen
• November 30, 2022 – LastPass announces that a malicious actor used some of the information stolen in the August incident to “gain access to certain elements of…customers’ information” from a third-party cloud storage service
• November 30, 2022 – GoTo announces that it detected suspicious activity within its development environment and third-party cloud storage service
• December 22, 2022 – Last Pass announces that a malicious actor gained access to customer account data such as customer names, company affiliation, billing address, email address, telephone number, and IP addresses. The malicious actor also gained access to copies of customer vault data, including encrypted usernames and passwords for the sites customers have connected to LastPass
• January 23, 2022 – GoTo announces that a malicious actor stole encrypted backups—along with an encryption key for a portion of those backups—from a third-party cloud storage service. The backups contained information from their Central, Pro, join.me, Hamachi, and RemotelyAnywhere products, and the information may include usernames, salted and hashed passwords, MFA settings, product settings, and licensing information

Mitigation Steps recommended by Sedara:

• GoTo customers should change their passwords for GoTo products
• LastPass customers should change their master password in addition to all the passwords for the sites in their vaults
• Make new passwords as long and entropic as possible
• Do not reuse passwords between sites
• Ensure your new password has not been publicly disclosed before (e.g., check https://haveibeenpwned.com/Passwords)
• Continue to stay informed on the latest security incidents

How can Sedara Help?

• Sedara’s vCISO’s can provide you ongoing supervision and support to stay abreast of the latest security incidents and make changes to improve your cybersecurity posture

More reading on this threat:

• GoTo Security Bulletin — https://www.goto.com/blog/our-response-to-a-recent-security-incident#
• LastPass Security Bulletin — https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/

Want Help With a Security Incident?

Sedara can help your organization assess and address vulnerabilities and provide insight that prevents future incidents.

Get Future Compromise Alerts – Join Sedara Declassified

Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do. And of course, if we can help you with anything directly, feel free to reach out.