A wide range of products across the GoTo ecosystem have been compromised, and customers have been left to wonder if their data has been exposed after encrypted backups were taken along with an encryption key that the company says provides access to “a portion” of the stolen data.
This breach is particularly troubling as GoTo is both the owner of the widely used LastPass credential management software, and also the provider of an assortment of remote access and conferencing tools. The company said that Central, Pro, join.me, Hamachi, and RemotelyAnywhere are impacted by the theft of the encrypted backups as well as certain other items of non-encrypted exposed data; LastPass was not named, but is still dealing with the fallout of its own recent breach.
GoTo customers left unsure about encryption strength, likelihood of encrypted backups being cracked
GoTo is continuing to investigate the incident, but thus far has not provided complete details about how well-secured the encrypted backups are against cracking attempts or exactly what the stolen encryption key will provide the attackers with access to.
This is not inspiring confidence in GoTo customers, to say the least, after the Christmas notification of a major breach of LastPass that also included encrypted backups. LastPass was taken to task for not being entirely forthcoming with details of that breach and not being straightforward with customers in its communications.
The encryption key that was taken reportedly only unlocks “a portion” of the stolen encrypted backups, but it’s still not entirely clear which “portion” that is. The remainder are subject to brute force cracking attempts, which could open them in anything from hours to years depending on the type and strength of encryption used. GoTo’s announcement only said that the stolen information “varies by product.”
Another point of concern is that the encryption key was apparently stored in the same environment as the encrypted backups, something that is far from a recommended security best practice. The non-encrypted data that was stolen also contains some items of concern, such as Multi-Factor Authentication (MFA) settings for some of the company’s customers.
Mystery remains about missing encryption key
Right now, customer financial information has not been reported as being compromised. However, given that data breaches are often revealed as being more severe than initially expected as investigations progress, GoTo customers should take whatever security precautions they feel are prudent. It is probably best to assume that it is only a question of time before any encrypted backups that were taken are cracked into.
The company will likely suffer a serious blow from these incidents, with customer trust already reeling after the LastPass break-in to close out 2022.