GoTo, the remote collaboration and IT software company that owns LastPass, has confirmed that, along with LastPass’ password vaults, it had customer data taken by attackers during a November 2022 security breach (via TechCrunch).

The company, which was formerly known as LogMeIn, is updating its blog post about the breach for the first time since November 30th, when GoTo confirmed “unusual activity” within its development environment and cloud storage service.

Many of GoTo’s enterprise products were affected, including Central, Pro, join.me, Hamachi, and RemotelyAnywhere. GoTo CEO Paddy Srinivasan writes that a hacker “exfiltrated encrypted backups from a third-party cloud storage service” and acquired the encryption key for a portion of them — nearly two months ago. The information taken varies by product but “may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.”

Encrypted databases for the more well-known GoToMyPC remote computer software and Rescue were not taken by the attackers; however, “MFA settings of a small subset of their customers were impacted.”

GoTo is apparently contacting affected customers directly to provide additional info as well as support for what actions to take. Passwords for their accounts will be reset “out of an abundance of caution,” and MFA will also be reauthorized. Srinivasan also wrote that affected accounts will be migrated to a different Identity Management Platform for additional security, one with “more robust authentication and login-based security options.”

Our first whiff of the breach was in August, when LastPass notified users that an unauthorized party compromised a developer account. Information taken during that attack was apparently used in November, when hackers were successful in obtaining customer vaults — a fact that was only announced publicly late in the day on Thursday, December 22nd, when many people were preparing to take a holiday break.

Cybersecurity experts tore apart LastPass’ response to the leak, accusing the company of a lack of transparency about the severity of the situation and its failure to contain the breach.

Now, Srinivasan is dealing with a heavy fallout that’s only getting worse. But the CEO is noting to customers that GoTo doesn’t store their full credit card and banking details and doesn’t collect PII such as date of birth, address, and Social Security numbers. LastPass also played down a separate incident in 2021 where customers were barraged by constant unauthorized login attempts.