LastPass Owner GoTo Says Hackers Stole Customer Data Backups

The company says it has evidence an encryption key used to secure the data was also stolen in the November hack.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
LastPass logo on a smartphone against a blue background
Sarah Tew/CNET

GoTo, the parent company of password management service LastPass, has revealed that hackers stole some customers' encrypted data during a security breach in November.

The breach, which stemmed directly from one that occurred in August, allowed an "unauthorized party" to gain access to some customers' information stored on a third-party cloud storage service shared by LastPass and parent GoTo. Company data stolen in August was then used in November to break into another LastPass database to capture unencrypted customer data like names, email and billing addresses, phone numbers, and IP addresses. No unencrypted credit card data was exposed, the company said.

Now GoTo says some of its other enterprise products have been affected by the hack, including the theft of encrypted customer backups -- copies for emergency data recovery -- for Central, Pro, join.me, Hamachi and RemotelyAnywhere. The company also said it has evidence that an encryption key used to secure the data for some of its customers was stolen as well.

"The affected information, which varies by product, may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information," GoTo CEO Paddy Srinivasan said in a blog post update Monday. "In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted."

Srinivasan also said the company doesn't believe any other GoTo products were affected by the theft. GoTo didn't indicate how many customers were affected by the theft but did say it's informing those who may have been impacted by the hack.

LastPass is designed to let people securely generate and save passwords across their devices, store digital records and share both with trusted contacts. But in late December, LastPass CEO Karim Toubba acknowledged that a security incident the company first disclosed in August had ultimately paved the way for an unauthorized party to steal customer account information and vault data.

GoTo didn't immediately respond to a request for additional information.