GoTo says hackers stole encrypted backups during November cyberattack
Multibillion-dollar software-as-a-service provider GoTo said hackers stole an encryption key for customer-owned backups during a November cyberattack.
In a statement this week, GoTo CEO Paddy Srinivasan said the November cyberattack involved the exfiltration of data from a third-party cloud storage service related to several of their products.
“The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information,” Srinivasan said.
“In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.”
He later claimed that there is “no evidence” that the exfiltration affected any other GoTo products – despite several recent announcements about cybersecurity issues facing one of their other flagship products: LastPass.
Srinivasan explained that the company is now contacting affected customers directly with advice on how to move forward. They have reset all passwords for affected users and are moving some customers to an “an enhanced Identity Management Platform” that offers improved security and better authentication.
While GoTo came forward with the revelation on Monday night, Srinivasan noted that their investigation into the incident is continuing.
On November 30, Srinivasan said the company hired cybersecurity firm Mandiant to help with the incident and had contacted law enforcement. At the time, they said they initially detected “unusual activity” on an unnamed third-party cloud storage service that was used by both GoTo and LastPass.
Action1’s Mike Walters said the breach of customer backups and encryption keys would be a “nightmare” for any company but what stood out most was the leak of data on customer’s deployment and provisioning and multi-factor authentication.
“Even though there is no evidence that intruders can decrypt backups using the encryption keys, this breach reminds us on an important lesson about backup security: Never keep encryption keys together with backups in the same or interconnected environment,” he said.
“In fact, it is one of the top backup security mistakes that should be avoided. Ideally, you should keep them off-site.”
KnowBe4’s Javvad Malik also warned that victims should be on the lookout for any phishing or social engineering scams which can be crafted using the stolen data.
The latest announcement is yet another security issue facing GoTo following weeks of criticism for its handling of the cyberattack on LastPass.
The password manager announced in December that hackers had accessed and copied a backup of data including customers’ passwords in an encrypted format.
GoTo has more than 800,000 customers and provides a range of services and tools to businesses.