GoTo Connect & LastPass Data Breach

[Scott]

o All GoTo Customers,

I am writing to inform you that GoTo is investigating a security incident. While we are currently working to better understand the scope of the issue, we wanted to let you know about the situation and how we are responding.

Upon learning of the incident, we immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.

GoToââ,¬â,,¢s products and services remain fully functional. As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity.

Thank you for your patience as we work to complete our investigation. We will update you, and our blog post as we learn more.

Sincerely,

Paddy Srinivasan
CEO

Just received this today, as we use both products commercially. For anyone who uses LastPass for password management, take the opportunity now to change passwords, core encryption key and master password of your wallets/vaults.

[ssfc72]

Thanks for the security info warning and advice on LastPass, Scott.

I use KeepassX as my password manager, so I should be ok.

[Jason]

Thanks for the info, Scott.

I used LastPass for a number of years but am now using Bitwarden. Not sure about its security posture but I like that it's Open Source and free across multiple devices. The premium version is only $10/year which you need for 2FA. LastPass originally cost $12/year for premium, then $24/year and $36/year only a couple of years ago. I see it's now $51/year!

It sounds like they don't really know anything at this point. But certainly doesn't hurt to change passwords. It's a good reminder that we should be using 2FA, too.

Bill: You just have to watch for Dropbox breaches. I seem to recall that you keep your database there. Hopefully, with strong encryption!

[Jason]

How do you change the core encryption key in LastPass? Isn't that generated automatically using the master password? From what I understand, the master password is stored on the server in an encrypted format. The only data the server receives when you log in is the encrypted version. So a strong password and a lot of rounds of encryption should prevent anyone from getting in even if they steal the password databases. At least, until the bad guys have quantum computers.

[Jason]

Other than the password advice, LastPass has some pretty good info that works generally for password managers, not just LastPass, specifically about Multi-factor Authentication (MFA):

https://blog.lastpass.com/2022/01/how-to-set-up-your-new-lastpass-account/

The password info is mainstream advice but it's outdated (and bad) advice: using mixed cases, number(s) and special character(s). You can do it if you want but unless it's randomized (i.e. looks like gibberish and hard to remember), the standard advice now is to use a long passphrase, not a more complex one. So, for example, four words randomly generated from a word-list is stronger than a 10-character password and easy to remember. Diceware.com

[ssfc72]

Thanks Jason, yes KeepassX has good encryption and my password to access my Keypass is fairly lengthy.

Thanks for the info, Scott.

I used LastPass for a number of years but am now using Bitwarden. Not sure about its security posture but I like that it's Open Source and free across multiple devices. The premium version is only $10/year which you need for 2FA. LastPass originally cost $12/year for premium, then $24/year and $36/year only a couple of years ago. I see it's now $51/year!

It sounds like they don't really know anything at this point. But certainly doesn't hurt to change passwords. It's a good reminder that we should be using 2FA, too.

Bill: You just have to watch for Dropbox breaches. I seem to recall that you keep your database there. Hopefully, with strong encryption!

[fox]

I have started to use 2FA for a lot of things. It gave me the confidence to finally go to online banking.

[Jason]

Thanks Jason, yes KeepassX has good encryption and my password to access my Keypass is fairly lengthy.

Excellent.

[Jason]

I have started to use 2FA for a lot of things. It gave me the confidence to finally go to online banking.

Welcome to the 21st century! I figured if banks with their billions can't get it right, nobody can. My bank was just using the security questions as extra protection until recently which wasn't 2FA despite their argument. There are three ways of authenticating.

1. Something you know (e.g. password)
2. Something you have (e.g. a security key, phone)
3. Something you are (e.g. biometric, location)

MFA (multi-factor authentication) is a term used to mean more than one factor. 2FA is a form of MFA, in other words.

They updated it now so that when I try to log in from another device, the bank app asks for my permission (something I know + something I have). Additionally, my phone requires my fingerprint so it's also something I am. I still wish I could use my YubiKey. Your account sending you a text you have to enter to get in is another 2FA method. But it's a weak one. Hackers can social engineer your phone company into having a "replacement" SIM card sent to them.

If I want to bank from my phone, I unlock it with my fingerprint (something I am and something I have).

The whole idea is that somebody could steal your password either through phishing, malware or just a bad password and some simple hacking. But if you have 2FA they'll need more. And since a lot of stolen password hacks are remote, it might be hard to steal your phone to get at the OTP app or get your fingerprint.

How does your bank do it, Fox? I remember that you had one of those OTP cards but that was just for your Trent account, I believe.

[fox]

....
The whole idea is that somebody could steal your password either through phishing, malware or just a bad password and some simple hacking. But if you have 2FA they'll need more. And since a lot of stolen password hacks are remote, it might be hard to steal your phone to get at the OTP app or get your fingerprint.

How does your bank do it, Fox? I remember that you had one of those OTP cards but that was just for your Trent account, I believe.

RBC gives you choices. I use my fingerprint, for the reason you stated.

[William]

I'm forced to use SMS text as 2FA for work.  It's hassle, since I often don't have cell phone with me.  Also, my plan is PayAsYouGo.

I've heard that if you're on one of the lists, then Custom will force you to turn on and log in to cell phone or laptop, and then take it to back room. 

[Jason]

RBC gives you choices. I use my fingerprint, for the reason you stated.

That's my bank, too.

[Jason]

I'm forced to use SMS text as 2FA for work.  It's hassle, since I often don't have cell phone with me.  Also, my plan is PayAsYouGo.

I've heard that if you're on one of the lists, then Custom will force you to turn on and log in to cell phone or laptop, and then take it to back room.

Do you have an Android phone, William? I can't speak for iPhones but if you go to https://messages.google.com you can pair your phone to your web browser so you'll see texts in both places. Good if you usually have your laptop with you but not your phone. Won't help with the pay-per-text plan. You'll still have to pay for the texts.

I'm not sure about your point regarding customs. That can happen 2FA or not. Personally, if I was travelling, I'd factory reset my device. Then they can look at it to their heart's desire. But I presume they just want to see you power your laptop or phone on to prove it's not an explosive device or that you're smuggling something in it. No idea, though. You don't have to be on a list though; they do random checks, too.

[Jason]

I should have mentioned that by "pairing" your text messages with your phone, I don't mean Bluetooth so your laptop or computer doesn't need it.