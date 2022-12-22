LastPass and GoTo share their cloud storage

A key part of why both LastPass and GoTo are notifying their respective customers is because the two companies share the same cloud storage. [...]

LastPass doesn't yet know what was accessed, or if data was taken

In its blog post, LastPass said it was "working diligently" to understand what specific information was accessed by the unauthorized party. In other words, at the time of its blog post, LastPass doesn't yet know what customer data was accessed, or if data was exfiltrated from its cloud storage. [...]

A malicious actor is probably behind the breach

The wording of LastPass' blog post in August left open the possibility that the "unauthorized party" may not have been acting in bad faith.

[...] At this point it's fairly safe to assume that the unauthorized party behind the breach is a malicious actor at work, even if the motive of the hacker — or hackers — is not yet known. [...]

We don't know when the breach actually happened

LastPass did not say when the second breach happened, only that it was "recently detected", which refers to the company's discovery of the breach and not necessarily the intrusion itself. [...]

LastPass won't say what kind of customer information could have been at risk

An obvious question is what customer information is LastPass and GoTo storing in their shared cloud storage? LastPass only says that "certain elements" of customer data were accessed. That could be as broad as the personal information that customers gave LastPass when they registered, such as their name and email address, all the way through to sensitive financial or billing information and customers' encrypted password vaults. [...]

LastPass hasn't said how many customers are affected

If the intruder accessed a shared cloud storage account storing customer information, it's reasonable to assume that they had significant, if not unrestricted access to whatever customer data was stored.

A best-case scenario is that LastPass segmented or compartmentalized customer information to prevent a scenario like a catastrophic data theft. [...]

Why did GoTo hide its data breach notice?

If you thought LastPass' blog post was light on details, the statement from its parent company GoTo was even lighter. What was more curious is why if you searched for GoTo's statement, you wouldn't initially find it. That's because GoTo used "noindex" code on the blog post to tell search engine crawlers, like Google, to skip it and not catalog the page as part of its search results, ensuring that nobody could find it unless you knew its specific web address.

[...] Lydia Tsui, a director at crisis communications firm Brunswick Group, which represents GoTo, told TechCrunch that GoTo had removed the "noindex" code blocking the data breach notice from search engines, but declined to say for what reason the post was blocked to begin with.

Some mysteries we may never solve.