Security News > 2023 > January > GoTo says hackers stole customers' backups and encryption key
GoTo is warning customers that threat actors who breached its development environment in November 2022 stole encrypted backups containing customer information and an encryption key for a portion of that data.
"Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility," reads the notice to customers.
We have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups." - GoTo.
In response to the situation, GoTo is resetting Central and Pro passwords for impacted customers and automatically migrates accounts to GoTo's enhanced Identity Management Platform.
GoTo has published an update to the incident saying that it is contacting affected customers directly to offer more details and recommendations for actionable steps to increase the security of their accounts.
While the company has not shared the type of encryption used for the backups, if they used asymmetrical encryption, such as AES, then it could be possible to decrypt the backups using the stolen encryption key.