GoTo suffers security incident; customer data stolen, including encrypted passwords, MFA settings. Change passwords, reset 2FA, regenerate backup codes.
GoTo is a well-known brand that owns a range of products, including technologies for teleconferencing and webinars, remote access, and password management. On 2022-11-30, GoTo informed customers that it had suffered “a security incident”, where a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to their products. This included account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information.
Two months later, GoTo has come back with an update and the news isn’t great. It is unclear why MFA settings were stored encrypted for some customers, but not for others. It is also unclear what the words “MFA settings” encompass. It is possible that this incident is connected to the LastPass breach from August 2022.
It is important for customers to take action in order to protect their accounts. This includes changing passwords, resetting any app-based 2FA code sequences, re-generating new backup codes, and considering switching to app-based 2FA codes if possible. It is also important to use strong passwords and not share them between accounts. Additionally, it is important to use well-known algorithms such as PBKDF2, bcrypt, scrypt and Argon2 for password hashing systems, and to follow the algorithm’s own guidelines for salting and stretching parameters that provide good resilience against password-list attacks.
GoTo’s breach is a reminder of the importance of taking precautions to protect your accounts. It is essential to take steps to secure your accounts, such as changing passwords, resetting 2FA codes, and using strong passwords. Additionally, it is important to use reputable algorithms for password hashing systems and to follow the algorithm’s own guidelines for salting and stretching parameters. By taking these steps, customers can help protect their accounts and data from potential breaches.