LastPass owner GoTo says hackers stole encrypted backups and keys

It’s been almost two months since LastPass owner GoTo confirmed that its company had been hacked in November of last year, exposing user data for a number of its security- and access-focused products. But hackers also breached GoTo’s other products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. In an update concerning those breaches yesterday, GoTo gave more info that’s cause for concern: in addition to taking encrypted data from a shared third-party server, the hackers managed to get the encryption key, too.

The LastPass hack was already fairly devastating for a company that’s all about securing users’ data. Previously we knew that usernames and passwords, as well as billing info, email addresses, phone numbers, and IP addresses were stolen. The update says that in addition to all of that, more usernames and passwords (including salted and hashed passwords), multi-factor authentication settings, and licensing info was taken from users of Central, Pro, join.me, Hamachi, and RemotelyAnywhere. GoToMyPC and Rescue support databases were, apparently, not stolen, nor were credit card numbers.

The update doesn’t say how many users were affected — in fact, GoTo hasn’t given that information at all so far. But the post says that “we are contacting affected customers directly” and recommending steps to protect their account info. Affected users’ passwords on the related GoTo products have been reset by the company. User accounts are being migrated to an “enhanced Identity Management Platform” with more robust security.

The update is the latest in a string of embarrassing news for GoTo and LastPass. The November hack follows a similar event in August of last year, apparently related, and in the combined breaches both internal company information and customer data was compromised. If you want to know how to leave LastPass, you’re not alone: PCWorld has a guide for you.