GoTo, LastPass say attackers breached their cloud storage service

All passwords are safe, LastPass claims, although some customer information was accessed

The remote access and collaboration firm GoTo and its affiliate LastPass disclosed on Wednesday that they were looking into a breach involving a shared third-party cloud storage service.

In an online post, GoTo said they have suffered a security breach that allowed attackers access to their development environment and a third-party cloud storage service.

The company began sending emails to customers on Wednesday afternoon, informing them that they had notified law enforcement about the breach and had begun an investigation with the assistance of security firm Mandiant.

GoTo said that they became aware of the incident after noticing unusual activity in both their development environment and a third-party cloud storage service.

Both GoTo and its affiliate LastPass currently use the third-party cloud storage service, whose identity was not disclosed.

LastPass is a popular password manager used by a large number of people to store encrypted passwords online. The company claims that more than 33 million consumers and 100,000 businesses use their software.

GoTo, which was formerly known as LogMeIn, bought LastPass in 2015. Last year, GoTo said in intends to spin off LastPass as a separate firm.

GoTo CEO Paddy Srinivasan stated that the company's products and services remain fully functional after the incident.

"As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity," Srinivasan added.

In a separate post Wednesday, LastPass CEO Karim Toubba said some customer information was recently accessed by an "unauthorised party" but that all passwords were safe.

According to Toubba, the attackers used data stolen during a previous security incident that occurred in August 2022 to breach its cloud storage.

Once inside, the threat actors were also able to access some of the customer data that was kept on the hacked storage service.

According to the company, customers' passwords have not been hacked and remain safety encrypted due to "LastPass's Zero Knowledge architecture".

Toubba said that LastPass had also alerted law enforcement about the incident and have engaged Mandiant to investigate the breach.

"We are working diligently to understand the scope of the incident and identify what specific information has been accessed," he said. "In the meantime, we can confirm that LastPass products and services remain fully functional."

Toubba advised users to set up and configure LastPass in accordance with best practice.

This is the second security incident that LastPass has disclosed this year after confirming in August that the company's development environment had been exposed due to a compromised developer account.

In emails addressed to customers at the time, LastPass said the attackers had taken source code and other technical data from its servers.

In a September update, the firm claimed that it had implemented improved security measures, including more endpoint security controls and monitoring.

"We have also deployed additional threat intelligence capabilities as well as enhanced detection and prevention technologies in both our Development and Production environments," LastPass said.