Goto, the popular online meeting application, and LastPass, the popular password manager, are having a tough holiday season. Here is their November 30, 2022, blog post from CEO Paddy Srinivasan:
I am writing to inform you that GoTo is investigating a security incident. While we are currently working to better understand the scope of the issue, we wanted to let you know about the situation and how we are responding. Upon learning of the incident, we immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass. GoTo’s products and services remain fully functional, and we are committed to our customers. As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity. Thank you for your patience as we work expeditiously to complete our investigation. We will continue to update you.
I am writing to inform you that GoTo is investigating a security incident. While we are currently working to better understand the scope of the issue, we wanted to let you know about the situation and how we are responding.
Upon learning of the incident, we immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.
GoTo’s products and services remain fully functional, and we are committed to our customers. As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity.
Thank you for your patience as we work expeditiously to complete our investigation. We will continue to update you.
In Parsing LastPass' Data Breach Notice, Tech Crunch pointed out essential facts the November 30 Goto post doesn't mention or obfuscate, including:
2nd Breach The first LastPass "security incident" happened in August (more below.
When LastPass didn't identify the exact date their second Breach happened.
Impact We need to find out how many accounts are affected.
Protective Steps Neither Goto nor LastPass has shared protective steps their customer should take, so we share a few common sense post-breach security tips below.
Back in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take. Fast-forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. This time around, LastPass wasn’t as lucky. The intruder had gained access to customer information.
Back in August, LastPass found that an employee’s work account was compromised to gain unauthorized access to the company’s development environment, which stores some of LastPass’ source code. LastPass CEO Karim Toubba said the hacker’s activity was limited and contained, and told customers that there was no action they needed to take.
Fast-forward to the end of November, and LastPass confirmed a second compromise that it said was related to its first. This time around, LastPass wasn’t as lucky. The intruder had gained access to customer information.
If changing every password in your password manager makes you mad enough to change password managers, read The Best Password Managers for 2022 from PC Magazine to find another option. We recommend changing your Goto and LastPass logins despite potentially shutting the barn door after the horses have run to the hills. Then, if you're mad enough, return to option one - finding a new pw manager and possibly another online meeting app.