11/30/22 Security Incident

For anyone who hasn't seen it yet, I just received the following in an email from GoTo.  I haven't totally digested it yet, but it sounds like password changes are being forced (which is most likely a good thing).

Dear Customer,

I am writing to update you on our ongoing investigation about the security incident we told you about in November 2022.

Our investigation to date has determined that a threat actor exfiltrated encrypted backups related to Central and Pro from a third-party cloud storage facility. In addition, we have evidence that a threat actor also exfiltrated an encryption key for a portion of the encrypted data. However, as part of our security protocols, we salt and hash Central and Pro account passwords. This provides an additional layer of security within the encrypted backups.

Recommended Actions
Out of an abundance of caution, we are resetting your Central or Pro password. If you use Multi-Factor Authentication to sign into your account, you may be prompted to update your Multi-Factor Authentication settings during this process.

As an additional step to protect you, your account will automatically be migrated to GoTo’s enhanced Identity Management Platform as part of your password reset. This platform provides additional security for your users with more robust authentication and login-based security options, including enhanced controls, stronger password requirements, and a Single Sign-On option to access multiple GoTo (formerly LogMeIn) products. Note: all users who have reset their password since December 12 have already migrated to the new platform and do not need to take this action. Additional guidance can be found here for Central and Pro.

What information was affected
The information in the affected backups include your Central and Pro account usernames and salted and hashed passwords. It also includes your deployment and provisioning information, One-To-Many scripts (Central only), some Multi-Factor Authentication information, licensing and purchasing data such as user emails, phone numbers, billing addresses, and the last four digits of credit card numbers (we do not store full credit card or bank details).

Based on our investigation to date, we continue to believe that the threat actor did not have access to GoTo’s production systems. Furthermore, Central and Pro's peer-to-peer technology and end-to-end encryption provide security against interception and eavesdropping of data transferred during remote sessions. Your session data in transit is always protected by Transport Layer Security (TLS) 1.2.

While the investigation is ongoing, we wanted to provide this important update to you, and recommend clear and actionable steps in response to what we have learned. We are committed to protecting you, your information, and the security of our products and will continue to update you. If you have any additional questions, please contact customer support.

Paddy Srinivasan
CEO, GoTo (formerly LogMeIn)

(Minor edit made to include the resource links in the original email. Please note if you did not receive the email no action is required - GlennD) 

Well I ended up speaking with a manager and, to be fair, their hands are tied by higher ups no doubt. This is a tricky situation and said they would pass along my feedback. I get that they can only provide what they have the ability to provide.

Don't get me wrong though, I am getting quotes from other services like TeamViewer/SplashTop/etc because I have a business I need to keep running and the longer no info is available stating the services are indeed safe, the more confidence degrades.

GlennD - I understand that your hands our tied and you are still researching, but until you can say that LogMeIn is secure, then I think the fully functional  is not useful at all.  To have an open port to LogMeIn without knowing that the software cloud I am connected to is completely secure is not something that I can do.  When you can say that it is secure and the reasoning behind it being secure, like you rebuilt a server or moved it to another cloud or whatever someone has to do to take a breached server and make it secure again, I can't use it's functionality.  So, a better answer to me is that we continue to research and I understand your frustrations.

What are you finding regarding the other products?  Do any work similar to LogMeIn.  I have a user who has 6 screens in the office and only one screen at home, so using RDP is not really helpful in his scenario.  He is used to LogMeIn and just moving from screen to screen and struggles with just pulling up the app he wants on his single screen at home.

Thanks for this article.  

Another big thing for us, is to use a secured service to access rather than manage a VPN and then have to make sure user's home PC's are secured up.

(external links removed GlennD 12/15/22)

Hello,

Has the investigation been completed yet as it would relate to LogMeIn Central?  Has GoTo commented on what they found in coordination with Mandiant, and what steps were taken accordingly (as it relates to Central)?

I did see the blog update on 12/22/22 for LastPass (link), but I think that really only discussed LastPass specifically.  I am not currently a LastPass customer, but we are a longtime LogMeIn Central customer, and I was sent the email notification of the "security incident" on 11/30/22.

Thanks,

etb

Were the One2Many attached files also accessed (registry files, MSI, etc..)? We need to know this. Need further clarity please.

Hi cvillard1 and JoJoKopp 

I completely understand your concern and frustration, unfortunately, we do not have more details that can be shared currently. All of our services are fully functional and we have not identified any additional actions required for customers.  

Our investigation is ongoing and as soon as new information is available to be shared I will update you here in the community. 

Just passing this along to others and to GoTo. This is why users are concerned and GoTo should make some sort of update.

https://techcrunch.com/2022/12/14/parsing-lastpass-august-data-breach-notice/