Zero Knowledge Mitigates GoTo & LastPass Security Breach, Proves Its Worth

A golden combination lock on top of a white keyboard next to two golden credit cards.
Cybercriminals successfully penetrated a cloud provider, but did not have the keys or codes to the secured files.
Source: Unsplash

GoTo and LastPass have issued formal security breach notifications, suggesting that cybercriminals have gained access to their development environment and cloud storage facilities. LastPass is a subsidiary of GoTo (formerly LogMein), and both share the same cloud storage facilities.  

 “We have determined that an unauthorized party… was able to gain access to certain elements of our customers’ information. Our customers’ passwords remain safely encrypted due to LastPass’s Zero Knowledge architecture,” LastPass CEO Karim Toubba said in the company update. GoTo, however, made no mention of a compromise of customer records in its initial communications.

What We Know about the GoTo & LastPass Security Breach

GoTo is an IT communications toolkit and cloud provider for business owners offering VOIP, video conferencing, and remote support. In 2021 the Hungary-based company announced that LastPass will no longer be a product under the GoTo suite of offerings. Shortly thereafter, LastPass was launched as a standalone company. 

This decision came due to the credential managers’ popularity, especially given the big number of security breaches facing individuals and business owners. According to the LastPass mother company, LastPass is used by over 30 million people and 85,000 businesses worldwide.

LastPass initially suffered a security breach in August 2022, and cybercriminals likely used this information in this latest attack. In September, the firm revealed cybercriminals had gained access to their network for four consecutive days. And during that time, the malicious actors managed to steal some of the source code along with technical information. 

Both firms have engaged third party services to deal with the situation. “Upon learning of the incident, we immediately launched an investigation, engaged Mandiant, a leading security firm, and alerted law enforcement,” GoTo CEO Paddy Srinivasan said in his update.   

“Based on the investigation to date, we have detected unusual activity within our development environment and third-party cloud storage service. The third-party cloud storage service is currently shared by both GoTo and its affiliate, LastPass, ” Srinivasan continued.

Security Breach Details Remain Unknown

A metallic silver security keypad bolted against a metallic silver background.
The network was compromised, but the customers passwords have proven secure at LastPass.
Source: Unsplash

At this point, the information stolen from GoTo and LastPass is still unknown. The companies have also refrained from providing their third-party cloud provider’s name, and the investigation is currently underway and customers will need to stay tuned for further information. 

The same cloud storage breach affected both companies, with the exact time of the security breach remaining unknown. It is relatively common for companies to wait until they have more concrete information before releasing an announcement. Sometimes, it can take months before the affected companies pinpoint exactly what went wrong, gather information, and issue a relevant update. 

But as of yet, GoTo and LastPass services remain operational. More importantly, customer passwords/credentials are secured. So the breach may not be quite as serious as many other network compromises, such as the sale of information of over 533 million Meta user accounts, or the iSpoofing scandal that affected over 200,000 people globally.

That said, the security breach victims must not breathe a sigh of relief just yet. In fact, cybercriminal activities often remain under wraps until some time after their attack. They may, for instance, copy information and wait before releasing it, or they might install malware or spyware that inflicts damage over time.

The best practice for GoTo and LastPass — and other companies facing the same fate — is to simply outline details of the security vulnerabilities transparently as they become aware of them. 

Cybersecurity Expert Unable to Stand Its Ground

A silver key against a black background. Slight blurry reflective effect on the bottom aspect of the picture.
Cybersecurity firms re not at secure as they claim to be. Zero Knowledge is the true key to cybersecurity.
Source: Unsplash

“Trusted. Secure. Reliable.” are the three words listed on the very top of the LastPass homepage. “Safeguarding your data is what we do, with proactive security and reliability as cornerstones of our mission.” 

Yet, this cybersecurity expert was not able to prevent cybercriminals from penetrating its cloud hosting provider. Companies that boast their impregnability are being hit with breaches that could severely damage their reputation. But a cybersecurity firm that cannot secure its own networks is going to face much skepticism from customers. 

LastPass’ reputation is already on thin ice, with the company being breached twice within four months. That said, the company’s standing is still far stronger when compared to other companies facing similar security breaches. 

This is because LastPass supposedly uses Zero Knowledge (ZK) architecture, and this may have saved its customer information from compromise. LastPass further engages in AES-256-bit encryption with PBKDF2 SHA-256 for passwords, as well as multi factor authentication.

A Victory for Zero Knowledge Architecture?

Companies with servers full of customer information and sensitive data are appetizing targets for cybercriminals. Despite the most robust security measures, a simple social engineering hack on an employee can compromise an entire network. But this only applies if information is accessible to that network in the first place.

Zero knowledge architecture represents a shift from conventional data management. Essentially, the assertion is that the provider does not actually have any access to the information because they do not have the password — the customer does. The provider simply has an encrypted file.

Entities who do not use ZK architecture — like government departments, hospitals, credit agencies like Equifax, banks, financial institutions, and major social media companies — have seen sensitive information stolen and sold online.   

A more pressing question is whether or not LastPass and GoTo are genuinely Zero Knowledge. Future communications will ultimately reveal this, showing whether or not the security breach compromised sensitive customer information — and to what extent. 

“Zero knowledge means that no one except you has access to your master password or the data stored in your vault. Not even LastPass,” states the LastPass blog. “Biometric data is encrypted at the device level and never leaves the user’s device, protecting biometric data from server-side attacks.”

That said, what happened with the so-called cybersecurity experts can teach SMBs worldwide a valuable lesson. Cybercriminals can and will find ways to infiltrate your defenses. As a result, you must never let your guard down, and always be sure your security measures are up-to-date.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top