In January 2023, GoTo and LastPass disclosed a significant security breach affecting their widely-used software services. The incidents exposed the credentials and sensitive data of thousands of Canadian businesses and individuals who relied on these platforms for remote access and password management. The breaches exemplified how vulnerabilities at major software providers can have cascading impacts across entire ecosystems of organisations and users.
What Happened
LastPass discovered in December 2022 that attackers had accessed customer vault data through a shared internal system. Investigation revealed that threat actors had exploited a vulnerability in LastPass's code repository and development environment to gain unauthorised access. GoTo, the parent company of LastPass, discovered concurrent breach activity affecting their remote connectivity systems.
Both incidents involved extended dwell times where threat actors maintained access to systems for weeks before being detected. The breaches exposed the weakness of relying on shared infrastructure between multiple customer-facing services. Customer data stored on LastPass's systems, including encrypted vault contents and account metadata, were potentially accessed by threat actors.
Scope and Canadian Impact
LastPass and GoTo are widely used across Canadian organisations for password management and remote access services. The breaches affected:
- Encrypted vault contents of Canadian LastPass users containing passwords and sensitive credentials
- User account metadata including email addresses and phone numbers
- Customer vault encryption keys for some legacy customers, potentially compromising encrypted data
- Thousands of Canadian small businesses and enterprises relying on GoTo remote access services
- Individual remote workers and entrepreneurs using LastPass for credential management
The incident affected an estimated 25,000 Canadian organisations and individuals with active LastPass or GoTo accounts. Many Canadian financial services firms, healthcare providers, and technology companies were among affected customers.
Impact on Canadian Organisations
The breaches created significant security concerns for affected Canadian organisations. If credential vault encryption keys were compromised, threat actors could potentially decrypt stored passwords and access customer systems, accounts, and sensitive data. Organisations that had stored master passwords in LastPass vaults faced particularly high risk.
Many Canadian businesses were forced to undertake emergency password changes across their entire user bases, a costly and disruptive remediation process. Technology teams spent significant effort verifying whether their organisations' sensitive credentials had been compromised. The incident also raised questions about whether organisations should continue trusting third-party password managers with their most sensitive credentials.
LastPass and GoTo Response
Following discovery of the breaches, the companies implemented response measures:
- Disclosed the breaches and provided initial information about affected customers
- Implemented enhanced security controls for customer accounts
- Recommended password resets for all users
- Offered two years of complimentary identity theft protection to affected users
- Launched formal investigation into the incident with third-party forensic firms
- Worked with Canadian authorities and regulatory agencies
Lessons Learned
The GoTo and LastPass breaches highlight several critical lessons for Canadian organisations. First, organisations must perform rigorous due diligence on third-party security vendors, particularly those entrusted with sensitive credentials. A breach at a password manager or remote access provider potentially compromises every system and account the customer protects.
Second, organisations should implement credential management practices that do not depend on a single third-party service. Critical credentials should be protected through multiple mechanisms, including hardware security modules, offline vaults, and divided responsibilities among multiple team members.
Third, the breaches demonstrate the necessity for organisations to maintain detailed asset inventories of all systems and accounts protected by third-party services. When breaches occur, organisations must be able to quickly identify all potentially affected systems and begin remediation.
How CyberSafe Can Help
CyberSafe's Credential Management and Access Control Consulting helps Canadian organisations implement secure credential management practices that reduce dependence on single third-party providers. Our Cyber Defense Services provide ongoing monitoring to detect unauthorized access to protected systems. We also offer Incident Response Services to help organisations quickly identify and remediate compromised credentials.