GoTo (formerly LogMeIn) is a cloud-based platform for remote access, collaboration and communication. In November 2022, the company reported a security breach in its development environment and cloud storage service used by both it and subsidiary LastPass.
At that time, the impact on customer data was not yet known, as the investigation into the incident had just begun. The investigation is currently at an intermediate stage. The information received makes it clear that the incident had a significant impact on GoTo customers.
“Our investigation to date has determined that an attacker has stolen encrypted backups associated with Central and Pro from a third-party cloud storage. In addition, we have evidence that the attacker also stole the encryption key for some of the encrypted data,” company representatives said.
The information in the backups leaked on the darknet was as follows:
- Usernames for Central and Pro product accounts;
- Account passwords for Central and Pro products;
- Deployment and configuration information;
- One-to-Many scenarios (Central only);
- Information about multi-factor authentication;
- Licensing and purchase data such as email addresses, phone numbers, billing address, and the last four digits of credit card numbers.
GoTo is now resetting Central and Pro passwords for affected customers and automatically transitioning all accounts to an advanced identity management platform. This platform provides additional security controls that make it much more difficult for unauthorized account access or takeover.
GoTo also said that it is contacting affected customers directly to offer more details and guidance on the steps needed to improve the security of their accounts.
The company added that it still has no evidence that attackers have ever gained access to its production systems, and says that man-in-the-middle attacks cannot have any impact on customers because TLS 1.2 encryption and peer-to-peer connections technology are used.
The investigation into the GoTo incident is still ongoing. The company has promised to let its customers know if any additional important information comes up.