Go to security school, GoTo – theft of encryption keys shows you need it

2023-01-25 08:28

Remote access outfit GoTo has admitted that a threat actor exfiltrated an encryption key that allowed access to "a portion" of encrypted backup files.

A third-party cloud storage service GoTo uses for its own products and affiliate company LastPass was attacked in August 2022.

GoTo and LastPass revealed the incident in separate notifications that The Register covered after the companies 'fessed up in November 2022.

Now GoTo has offered more information on the attack, revealing the attacker "Exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere."

"The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication settings, as well as some product settings and licensing information," wrote GoTo CEO Paddy Srinivasan.

Sounds like the right thing to do, but also suggests GoTo isn't confident in its existing systems.

News URL

https://go.theregister.com/feed/www.theregister.com/2023/01/25/goto_security_incident_update/

#encryption #security