The breach was first confirmed by LastPass on November 30.
At the time, LastPass chief executive Karim Toubba said an
“unauthorized party” had gained access to some customers’
information stored in a third-party cloud service shared by
LastPass and GoTo. The attackers used information stolen from an
earlier breach of LastPass systems in August to further compromise
the companies’ shared cloud data. GoTo, which bought LastPass in
2015, said at the time that it was investigating the incident.
Now, almost two months later, GoTo said in an updated
statement that the cyberattack impacted several of its
products, including business communications tool Central; online
meetings service Join.me; hosted VPN service Hamachi, and its
Remotely Anywhere remote access tool.
GoTo said the intruders exfiltrated customers’ encrypted backups
from these services — as well as the company’s encryption key for
securing the data.
This breach now sounds like a company covering its ass. LastPass users should consider everything they stored in LastPass tainted.