Communications firm GoTo, which provides a wide variety of remote access and video conferencing products in addition to owning popular password management system LastPass, has revealed that a November breach resulted in the theft of encrypted backups and encryption keys for a number of its products.
The theft of LastPass’s encrypted password vaults had been previously reported, but the fact that the hack impacted multiple GoTo companies and products is a new development and greatly increases the total amount of potential damage. A variety of the company’s enterprise products are impacted including Central, Pro, join.me, Hamachi, and RemotelyAnywhere.
Encrypted backups for an assortment of products stolen; encryption key granting access to “a portion” of these also lost
GoTo says that the stolen information varies by product, but encryption keys that were also taken in the hack will grant access to “a portion” of the encrypted backups that were stolen. The attackers may have additionally accessed Central and Pro account usernames, salted and hashed passwords, some Multi-Factor Authentication (MFA) settings, and some product settings and licensing information. For Rescue and GoToMyPC customers, the MFA settings of a “small subset” of their customers may also have been exposed.
GoTo says that all stolen passwords were salted and hashed, but out of an abundance of caution it is contacting all impacted customers and asking them to change passwords. These accounts are also being migrated to an “enhanced Identity Management Platform” that the company says will provide additional login security and authentication options.
The lone bright spot in the breach is that the company does not store financial information or personal information such as Social Security numbers, so customer bank accounts and credit cards do not appear to be at risk. However, the incident will certainly leave many with questions (along with some angry observations) given that it took about two months for the company to follow up with more information about a breach this extensive that involved the theft of an encryption key and encrypted backups that could contain very sensitive information.
Questions remain about how much client data can be pulled from encrypted backups
While GoTo says that only some of the stolen data can be accessed via leaked encryption keys, it remains possible (as with the stolen LastPass password vaults) that the encrypted backups could be cracked at some point. The likelihood of this hinges on the type of encryption used, something that GoTo has not revealed to the public. The company says that its investigation into the incident continues.
There is valid reason for concern not only given the recent LastPass breach, but also that there was a considerable delay of the announcement of it to customers. The LastPass incident was not disclosed until just before the Christmas holiday weekend, though the company had previously announced it had detected unusual activity in late November and had presumably already been investigating for some time. Security professionals were also highly critical of not just the timing of the LastPass announcement, but also for seemingly concealing some aspects and using misleading language.
Depending on the type of encryption used and the strength of the password, encrypted backups may require too much time and compute power to be worth the trouble to crack. Those who had data stolen will now have to wonder going forward if that stored data will become public, however, and there is still not completely clear information on what the leaked encryption key grants access to. At minimum, it should be assumed that when the quantum computing threat develops in about a decade someone will return to these encrypted backups that will now likely take mere minutes to open.
Mike Walters, VP of Vulnerability and Threat Research at Action1, additionally notes that the fact that MFA information was included in the breach merits special attention: “Experiencing a breach involving customer backups along with encryption keys to that data is a nightmare for any IT security company. What caught my eye is that breached information, among other things, includes the data on customer’s deployment and provisioning and multi-factor authentication (MFA). Even though there is no evidence that intruders can decrypt backups using the encryption keys, this breach reminds us of an important lesson about backup security: Never keep encryption keys together with backups in the same or interconnected environment! … In addition, this breach shows us that MFA data can also be compromised. That is why always use advanced MFA methods such as authentication apps instead of email or SMS.”
And while GoTo is contacting impacted customers to advise a password change, the company has not yet issued remediation guidance to those that had their encrypted backups compromised. And as the investigation continues, there remain questions about whether or not the attackers may have continued opportunity to access company systems. That is a major concern for users of its impacted remote access software such as RemotelyAnywhere.GoTo says that the stolen information varies by product, but #encryption keys that were also taken in the hack will grant access to ‘a portion’ of the encrypted backups that were stolen. #databreach #cybersecurity #respectdataClick to Tweet
At minimum, GoTo customers are likely looking at a wave of phishing attacks from the non-encrypted contact information that was stolen. In the wake of the December LastPass revelations, some security experts recommended that their clients simply give up on the service and find another password manager. It would not be surprising to see a similar wave of advice given the circumstances. As Javvad Malik (security awareness advocate at KnowBe4) notes, customers should assume an eventual total compromise of whatever information was provided to these platforms and stored in the encrypted backups: “Any breach is unfortunate for all those impacted. While in this case the data was encrypted, the fact that the decryption keys were also stolen renders the encryption worthless. Therefore, impacted customers should treat this as a complete breach of all data and take the necessary steps to protect themselves from any fallout. This can include changing their passwords. Also, be on the lookout for any phishing or social engineering scams which can be crafted using the stolen data.”