[TAG0]
LastPass has come under severe scrutiny in recent months due to multiple security breaches, including the theft of user data. But it wasn't LastPass. GoTo, which makes products such as Hamachi and GoToMyPC is the owner of LastPass. Now, the parent company confirms that it was also targeted in November's attack. The attackers did indeed steal user data from several products.
Paddy Srinivasan, CEO of GoTo, explains in a blog post that hackers gained access to the company's servers and were able exfiltrate encrypted backups from Central, Pro, join.me Hamachi, RemotelyAnywhere. This encryption may not be very important, Srinivasan points out that an attacker took an encryption key for "a part" of the backups. However, he doesn't specify which products.
Many of the products affected are enterprise-facing, making them a tempting target. Hamachi, for example, is a hosted VPN that could be used to gain access to a private LAN environment. Srinivasan said that although the exact data stolen depends on product, it includes user names, hashed passwords and licensing information. He also mentions Multi-Factor authentication settings. The theft of credit card and banking information was not reported.
Although the passwords are safe in theory and should be secure , GoTo is still forcing password resets for affected accounts. Some users were also asked to reconfigure multi-factor authentication settings. Customers affected by the breach are being contacted by GoTo with information about what they can do to protect their data and accounts. GoTo will also migrate those accounts to an "enhanced Identity Management Platform", which will offer better security to stop any attempts to use the stolen data.
(Credit: Rene Ramos; LastPass)
The latest LastPass attack was first reported to us in August 2022, when someone broke into LastPass' security and took engineering data. This information was used to launch the second attack on November 2022 in which the attackers stole encrypted password vaults. The attackers also copied data from GoTo's products. LastPass claims that the password vaults are secure due to its "zero-knowledge" design. However, security experts have criticized the company for understating the severity of the breach. This latest disclosure, which comes more than two years after the attack, lends credence.
Read
- LastPass exploit allows remote code execution, password theft and password manipulation
- California's new digital license plates are hacked
- Godfather Android Malware Targets More Than 400+ Banks and Crypto Exchanges
————————————————————————————————————————————————————————————
By: Ryan Whitwam
Title: LastPass Owner GoTo Confirms It Was Also Hit By November 2022 Hack
Sourced From: www.extremetech.com/internet/342613-lastpass-owner-goto-confirms-it-was-also-hit-by-november-2022-hack
Published Date: Wed, 25 Jan 2023 22:10:29 +0000
Leave a Reply