• Welcome to Peterborough Linux User Group (Canada) Forum.
 

GoTo Connect & LastPass Data Breach

Started by Scott, November 30, 2022, 04:33:10 PM

Previous topic - Next topic

0 Members and 2 Guests are viewing this topic.

Scott

Quoteo All GoTo Customers,

I am writing to inform you that GoTo is investigating a security incident. While we are currently working to better understand the scope of the issue, we wanted to let you know about the situation and how we are responding.

Upon learning of the incident, we immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement. Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass.

GoToââ,¬â,,¢s products and services remain fully functional. As part of our efforts, we also continue to deploy enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity.

Thank you for your patience as we work to complete our investigation. We will update you, and our blog post as we learn more.

Sincerely,

Paddy Srinivasan
CEO

Just received this today, as we use both products commercially. For anyone who uses LastPass for password management, take the opportunity now to change passwords, core encryption key and master password of your wallets/vaults.

ssfc72

Thanks for the security info warning and advice on LastPass, Scott.

I use KeepassX as my password manager, so I should be ok.
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

Jason

Thanks for the info, Scott.

I used LastPass for a number of years but am now using Bitwarden. Not sure about its security posture but I like that it's Open Source and free across multiple devices. The premium version is only $10/year which you need for 2FA. LastPass originally cost $12/year for premium, then $24/year and $36/year only a couple of years ago. I see it's now $51/year!

It sounds like they don't really know anything at this point. But certainly doesn't hurt to change passwords. It's a good reminder that we should be using 2FA, too.

Bill: You just have to watch for Dropbox breaches. I seem to recall that you keep your database there. Hopefully, with strong encryption! :)
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

How do you change the core encryption key in LastPass? Isn't that generated automatically using the master password? From what I understand, the master password is stored on the server in an encrypted format. The only data the server receives when you log in is the encrypted version. So a strong password and a lot of rounds of encryption should prevent anyone from getting in even if they steal the password databases. At least, until the bad guys have quantum computers.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

#4
Other than the password advice, LastPass has some pretty good info that works generally for password managers, not just LastPass, specifically about Multi-factor Authentication (MFA):

https://blog.lastpass.com/2022/01/how-to-set-up-your-new-lastpass-account/

The password info is mainstream advice but it's outdated (and bad) advice: using mixed cases, number(s) and special character(s). You can do it if you want but unless it's randomized (i.e. looks like gibberish and hard to remember), the standard advice now is to use a long passphrase, not a more complex one. So, for example, four words randomly generated from a word-list is stronger than a 10-character password and easy to remember. Diceware.com
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

ssfc72

Thanks Jason, yes KeepassX has good encryption and my password to access my Keypass is fairly lengthy.


Quote from: Jason on November 30, 2022, 11:40:00 PM
Thanks for the info, Scott.

I used LastPass for a number of years but am now using Bitwarden. Not sure about its security posture but I like that it's Open Source and free across multiple devices. The premium version is only $10/year which you need for 2FA. LastPass originally cost $12/year for premium, then $24/year and $36/year only a couple of years ago. I see it's now $51/year!

It sounds like they don't really know anything at this point. But certainly doesn't hurt to change passwords. It's a good reminder that we should be using 2FA, too.

Bill: You just have to watch for Dropbox breaches. I seem to recall that you keep your database there. Hopefully, with strong encryption! :)
Mint 20.3 on a Dell 14" Inspiron notebook, HP Pavilion X360, 11" k120ca notebook (Linux Lubuntu), Dell 13" XPS notebook computer (MXLinux)
Cellphone Samsung A50, Koodo pre paid service

fox

I have started to use 2FA for a lot of things. It gave me the confidence to finally go to online banking.
Ubuntu 24.10 on 2019 5k iMac
Ubuntu 24.04 on Dell XPS 13

Jason

Quote from: ssfc72 on December 02, 2022, 03:06:37 AM
Thanks Jason, yes KeepassX has good encryption and my password to access my Keypass is fairly lengthy.

Excellent.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

#8
Quote from: fox on December 02, 2022, 07:07:09 AM
I have started to use 2FA for a lot of things. It gave me the confidence to finally go to online banking.

Welcome to the 21st century! :) I figured if banks with their billions can't get it right, nobody can. My bank was just using the security questions as extra protection until recently which wasn't 2FA despite their argument. There are three ways of authenticating.

1. Something you know (e.g. password)
2. Something you have (e.g. a security key, phone)
3. Something you are (e.g. biometric, location)

MFA (multi-factor authentication) is a term used to mean more than one factor. 2FA is a form of MFA, in other words.

They updated it now so that when I try to log in from another device, the bank app asks for my permission (something I know + something I have). Additionally, my phone requires my fingerprint so it's also something I am. I still wish I could use my YubiKey. Your account sending you a text you have to enter to get in is another 2FA method. But it's a weak one. Hackers can social engineer your phone company into having a "replacement" SIM card sent to them.

If I want to bank from my phone, I unlock it with my fingerprint (something I am and something I have).

The whole idea is that somebody could steal your password either through phishing, malware or just a bad password and some simple hacking. But if you have 2FA they'll need more. And since a lot of stolen password hacks are remote, it might be hard to steal your phone to get at the OTP app or get your fingerprint.

How does your bank do it, Fox? I remember that you had one of those OTP cards but that was just for your Trent account, I believe.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

fox

Quote from: Jason on December 03, 2022, 02:26:28 AM
....
The whole idea is that somebody could steal your password either through phishing, malware or just a bad password and some simple hacking. But if you have 2FA they'll need more. And since a lot of stolen password hacks are remote, it might be hard to steal your phone to get at the OTP app or get your fingerprint.

How does your bank do it, Fox? I remember that you had one of those OTP cards but that was just for your Trent account, I believe.

RBC gives you choices. I use my fingerprint, for the reason you stated.
Ubuntu 24.10 on 2019 5k iMac
Ubuntu 24.04 on Dell XPS 13

William

I'm forced to use SMS text as 2FA for work.  It's hassle, since I often don't have cell phone with me.  Also, my plan is PayAsYouGo.

I've heard that if you're on one of the lists, then Custom will force you to turn on and log in to cell phone or laptop, and then take it to back room. 

Jason

Quote from: fox on December 03, 2022, 07:14:28 AM
RBC gives you choices. I use my fingerprint, for the reason you stated.

That's my bank, too.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

Quote from: William on December 04, 2022, 02:40:12 AM
I'm forced to use SMS text as 2FA for work.  It's hassle, since I often don't have cell phone with me.  Also, my plan is PayAsYouGo.

I've heard that if you're on one of the lists, then Custom will force you to turn on and log in to cell phone or laptop, and then take it to back room.

Do you have an Android phone, William? I can't speak for iPhones but if you go to https://messages.google.com you can pair your phone to your web browser so you'll see texts in both places. Good if you usually have your laptop with you but not your phone. Won't help with the pay-per-text plan. You'll still have to pay for the texts.

I'm not sure about your point regarding customs. That can happen 2FA or not. Personally, if I was travelling, I'd factory reset my device. Then they can look at it to their heart's desire. But I presume they just want to see you power your laptop or phone on to prove it's not an explosive device or that you're smuggling something in it. No idea, though. You don't have to be on a list though; they do random checks, too.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13

Jason

I should have mentioned that by "pairing" your text messages with your phone, I don't mean Bluetooth so your laptop or computer doesn't need it.
* Zorin OS 17.1 Core and Windows 11 Pro on a Dell Precision 3630 Tower with an
i5-8600 3.1 GHz 6-core processor, dual 22" displays, 16 GB of RAM, 512 GB Nvme and a Geforce 1060 6 GB card
* Motorola Edge (2022) phone with Android 13