GoTo Says Hackers Stole Encrypted Backups, MFA Settings

IT management software firm GoTo on Tuesday said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach that also affected its LastPass affiliate. GoTo chief executive Paddy Srinivasan confirmed the security breach was far worse than originally reported and included the theft of account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. LastPass said the hackers broke into its network in August and used information from that hack to return and hijack customer data that included company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.