Product reviews, deals and the latest tech news

Hackers stole customer data backups, claims LastPass owner GoTo

GoTo, the company behind the LastPass password manager, has admitted that a security compromise in November allowed hackers to steal encrypted data from certain clients.

The incident, which was a direct result of another data breach in August, included a “unauthorised entity” gaining access to the personal information of certain LastPass and GoTo clients held on a third-party cloud storage service. Information taken from the company in August was leveraged in a November database breach to get non-encrypted client information, including names, email addresses, billing information, phone numbers, and IP addresses. According to the firm, no unencrypted credit card information was leaked.

Now, GoTo claims that the intrusion has spread to some of its other corporate products, with encrypted client backups (copies of data emergency recovery) stolen for Central, Pro,, Hamachi, and RemotelyAnywhere. Moreover, the organisation claims to have proof that a client data encryption key was taken.

GoTo CEO Paddy Srinivasan wrote in a blog post update on Monday that, “the compromised information, which varies by product, may include account usernames, salted and hashed passwords, a part of multi-factor authentication (MFA) settings, and certain product settings and licence information.” The MFA settings of a minority of Rescue and GoToMyPC users were also compromised, even though no encrypted data was stolen.

Srinivasan said that the business has no reason to assume that any other GoTo products were compromised. Although GoTo did not reveal how many clients were compromised, the company said claim it is alerting everybody who may have been affected by the incident.

LastPass is a password management and secure data storage platform that enables users to safely create, save, and share passwords, digital documents, and other sensitive information with friends, family, and colleagues. However, in late December, LastPass CEO Karim Toubba admitted that an unauthorised person had stolen client account information and vault data, which had first been published in August.