LastPass owner admits to major security lapse: Customer backups stolen

LastPass owner admits to major security lapse: Customer backups stolen

GoTo, LastPass’ parent company, has revealed that attackers acquired encrypted backups from clients during a recent system breach.

LastPass originally confirmed the breach on November 30. At the time, LastPass CEO Karim Toubba stated that an “unauthorized entity” had gotten access to certain user data held in a third-party cloud service that LastPass and GoTo shared. The attackers utilized the August intrusion into LastPass’s systems to access the companies’ shared cloud data further. GoTo, which acquired LastPass in 2015, stated at the time that the company was conducting an investigation.

Malware as the culprit

About two months later, in an amended statement, GoTo confirmed that the malware affected a number of its products, including the business communications tool Central, the online meetings service Join.me, the hosted VPN service Hamachi, and the Remotely Anywhere remote access tool.

GoTo reported that the intruders stole encrypted backups of user data from these services and the company’s encryption key for encrypting the data.

“Depending on the product, the compromised information may include account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and license information,” stated GoTo CEO Paddy Srinivasan. Additionally, Rescue and GoToMyPC’s encrypted databases were not exfiltrated, but the MFA settings of a fraction of their clients were compromised.

Lastpass’ parent company stated that it does not keep credit card or bank account information, nor does it collect personal information such as date of birth, home address, or Social Security numbers. This is in stark contrast to the attack on its subsidiary, LastPass, in which attackers acquired the encrypted password vaults of clients along with their names, email addresses, phone numbers, and some billing information.

GoTo has not disclosed the number of affected consumers. According to GoTo public relations director Jen Mathews, the company has 800,000 customers, including enterprises, but she refuses to answer our further queries. Prior to publication, GoTo spokeswoman Nikolett Bacso-Albaum continually declined to answer or reply to TechCrunch’s questions.

What can we get from this incident?

Large companies can be vulnerable to malware attacks; what more for small businesses? Given that bad actors do not discriminate, your small business is all the more prone to the advanced tactics that bad actors may use to take down their prey. 

Small businesses are particularly vulnerable to malware attacks, as smaller organizations may have less robust security measures in place. It is important for small businesses to take proactive steps to protect their sensitive information and systems from attack. Here are some tips for small businesses to guard against malware:

1. Keep software up-to-date: This includes the operating system, web browsers, and all other software used by the company. Outdated software can contain security vulnerabilities that attackers can exploit.
2. Educate employees: Teach employees about the dangers of malware and how to identify phishing scams and other malicious attacks. Emphasize the importance of only downloading software and attachments from trusted sources.
3. Implement strong passwords: Encourage employees to use strong, unique passwords and to avoid using the same password for multiple accounts. Consider using a password manager to help generate and store strong passwords.
4. Use antivirus and antimalware software: Install and regularly update antivirus and antimalware software to protect against the latest threats.
5. Backup data regularly: Regularly backing up important data and storing it off-site can help minimize the damage caused by a malware attack.
6. Hire a Data Protection Officer (DPO) to ensure that your organisation is PDPA compliant. Appointing a DPO is not only mandatory for all organisations in Singapore, but it also provides several benefits for your company. While you can appoint in-house, there are also benefits to outsourcing data protection officer service.

A Data Protection Officer (DPO) oversees data protection responsibilities and ensures that organizations comply with the Personal Data Protection Act (PDPA). Furthermore, every Organization’s DPO should be able to curb any instances of PDPA noncompliance as it is the officer responsible for maintaining the positive posture of an organization’s cybersecurity.

DPOs complement organizations’ efforts to ensure that the organisation’s methods of collecting personal data comply with the PDPA. It also ensures that policies are set in place to make sure that there will be no instances of data breaches in the future.

Don’t wait any longer to ensure your organisation is PDPA compliant. Take our free 3-minute PDPA Compliance Self-audit checklist now, the same “secret weapon” used by our clients to keep them on track. Upon completion, we will send you the results so you can take the necessary action to protect your customers’ data. Complete the free assessment checklist today and take the first step towards protecting your customers’ personal data.