If a locked submitting cupboard is stolen together with its key, can you continue to say it’s locked? GoTo thinks you may • Graham Cluley

If a locked filing cabinet is stolen along with its key, can you say it's still locked? GoTo thinks you can

Final week, GoTo (the dad or mum firm of LastPass, which has been the sufferer of some latest horrendous safety breaches itself) announced it had additionally been hacked.

Right here’s a part of what GoTo stated:

Our investigation to this point has decided {that a} menace actor exfiltrated encrypted backups from a third-party cloud storage service associated to the next merchandise: Central, Professional, be a part of.me, Hamachi, and RemotelyAnywhere.

Urk. That’s dangerous. Dropping backups is arguably as dangerous as dropping your password vaults. However hey, good to know the backups have been encrypted…

We even have proof {that a} menace actor exfiltrated an encryption key for a portion of the encrypted backups.

Oh. So whenever you stated the backups have been encrypted, you really meant that they have been encrypted however they might be unencrypted with ease?

To say the backups have been encrypted is a bit like making an attempt to argue {that a} locked field is locked, if the important thing to the locked field is stolen concurrently the field.

The affected info, which varies by product, might embody account usernames, salted and hashed passwords, a portion of Multi-Issue Authentication (MFA) settings, in addition to some product settings and licensing info. As well as, whereas Rescue and GoToMyPC encrypted databases weren’t exfiltrated, MFA settings of a small subset of their prospects have been impacted.

GoTo has apparently been forcing password resets on affected accounts and reauthorising MFA settings “out of an abundance of warning.”

EmailSignal as much as our e-newsletter
Safety information, recommendation, and ideas.

Apparently the breach occurred at a third-party cloud storage service, which GoTo and the beleagured LastPass each use.

Though, little question, there will likely be questions as as to whether GoTo had adequately configured the safety of the cloud-based storage for its backups, there are maybe much more inquiries to ask concerning how cautious it was being with the encryption key for these backups.

Discovered this text fascinating? Follow Graham Cluley on Twitter or Mastodon to learn extra of the unique content material we put up.


Graham Cluley is a veteran of the anti-virus trade having labored for a variety of safety firms because the early Nineties when he wrote the primary ever model of Dr Solomon’s Anti-Virus Toolkit for Home windows. Now an impartial safety analyst, he usually makes media appearances and is a global public speaker on the subject of laptop safety, hackers, and on-line privateness.
Comply with him on Twitter at @gcluley, on Mastodon at @[email protected], or drop him an e-mail.