GoTo has updated its blog post regarding a security incident that it first discovered in November 2022. Encrypted backups from the third-party cloud storage service offered to Central, Pro, Hamachi, join.me, and RemotelyAnywhere were breached along with its development environment.
The company suspects that the impacted user data included account usernames, product settings, licensing data, and salted and hashed passwords.
Based on the evidence, it can be inferred that an encryption key for some portions of encrypted backups was exfiltrated in the GoTo data breach.
The company, formerly called LogMeln Inc., further stated that a portion of multi-factor authentication (MFA) settings might have also been breached. Encrypted data from its products, Rescue and GoToMyPC remained safe, according to the post.
GoTo also clarified that presently it has no reason to believe that any of its other products have been accessed in the cyberattack.
The post from January 23 concluded by adding that the company did not store full credit card or bank information and end-user personal information, including date of birth, residential address, and social security number.
Researchers from Sophos are contesting this by asking what the company meant by “a portion of multi-factor authentication settings” that was exposed to hackers if it does not collect the said data.
Paddy Srinivasan, CEO of GoTo mentioned in their previous post dated November 30, 2022, that this incident affected the third-party cloud storage service, which was also used by LastPass.
The Cyber Express reported the LastPass data breach in August that exposed over 25 million users’ information.
LastPass integrates with GoToMeeting using single sign-in, providing identity and access management services.
In its updated blog post speaking about the incident, the company CEO Karim Toubba said, “…. an unauthorized party gained access to a third-party cloud-based storage service, which LastPass uses to store archived backups of our production data.” This post also assured that user data was untouched, which was found to be untrue after further investigations.
Researchers question security breach notices
Sophos represented that if MFA settings were accessed by criminals, then it could mean that phone numbers, starting seeds for 2FA codes, and stored recovery codes could have been impacted.
With this, the hackers can access account login details using their phone number and can send a sim swap request to the service provider to have a duplicate sim either by tricking, convincing, or bribing them.
This could be exploited further by attempting to log in and opting to be sent an OTP for logging in.
Researchers at the IT security company stated that the stolen source code led cybercriminals to further their hold on gaining access to user data from cloud storage. Both security incidents were reported in the second half of last year.
Several questions are being raised by researchers, including why entities that work together do not confirm data breaches if found simultaneously impacting both together. Investigations can be smoother with a cohesive result if affected entities maintain transparency and cooperate with investigators.