LastPass & GoTo incident

Type

Incident

Actors

❓Unknown

Pub. date

November 30, 2022

Initial access

End-user compromise

Impact

Data exfiltration

References

https://www.bleepingcomputer.com/news/security/goto-says-hackers-stole-customers-backups-and-encryption-key/https://www.bleepingcomputer.com/news/security/goto-says-hackers-breached-its-dev-environment-cloud-storage/https://www.goto.com/blog/our-response-to-a-recent-security-incident

Status

Stub

Last edited

Jun 2, 2024 11:55 AM

In November 2022, GoTo (formerly LogMeIn) disclosed a security breach of their development environment and a cloud storage service used by them and LastPass (their affiliate).

August ‘22 Incident

The investigation determined that the threat actor gained access to the development environment using a developer’s compromised endpoint. While the method used for the initial endpoint compromise is inconclusive, the threat actor utilized their persistent access to impersonate the developer once the developer had successfully authenticated using multi-factor authentication, and then gained access to LastPass source code.

During this timeframe, the LastPass security team detected the threat actor’s activity and then reportedly contained the incident.

November ‘22 Incident

In November 2022, GoTo (formerly LogMeIn) disclosed a security breach of their development environment and a shared cloud storage service used by them and LastPass (their affiliate), presumably as a result of the August ‘22 incident.

December ‘22 Incident

The threat actor accessed a cloud-based storage environment leveraging information obtained from the previous incident in August ‘22; they managed to compromise the workstation of another employee and exploited a Plex vulnerability. They installed a keylogger and obtained credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.