The Week in Security: After breach, 'unusual activity' detected in GoTo and LastPass dev environments

This week: IT management firm GoTo says a 2022 breach was much worse than reported. Also: a hacktivist found the FBI's No Fly list on a publicly-accessible airline server.

This Week’s Top Story

GoTo says a 2022 breach was much worse than reported

The IT management software firm GoTo (formerly: LogMeIn) acknowledged on Tuesday that a 2022 breach that exposed backups for its remote access and password management products was more serious than previously reported, and that an investigation of the incident turned up "unusual activity" in the company's development environment and third-party cloud storage service used by GoTo and its LastPass affiliate.

In a post on the company's website on Monday, GoTo chief executive Paddy Srinivasan said that that breach included encrypted backups from a third party cloud backup platform. The backups were for a range of GoTo products including Central, Pro, join.me, Hamachi, and RemotelyAnywhere. Encryption keys were also stolen for some of those backups, he said. The backups contain a range of sensitive information including GoTo account usernames, salted and hashed passwords, as well as Multi-Factor Authentication (MFA) settings and licensing information.

The GoTo attack has already had a major impact. In December, GoTo's LastPass secure password management division announced that the incident resulted in a subsequent hack of its cloud infrastructure and the theft of backups containing basic customer account information and - more importantly - customer vault data from the encrypted storage container including (fully-encrypted) fields such as website usernames and passwords, secure notes, and form-filled data.

The company said it engaged the security firm Mandiant to investigate the incident and that the subsequent investigation revealed that attackers detected "unusual activity within our development environment and third-party cloud storage service," which is shared by both GoTo and its affiliate, LastPass.

GoTo said its software is safe to use and that the company is deploying "enhanced security measures and monitoring capabilities across our infrastructure to help detect and prevent threat actor activity."

News Roundup

Here are the stories we’re paying attention to this week…

Hacktivist finds FBI "No Fly" list on unsecured airline servers (Daily Dot)

The FBI's "No Fly" list of banned passengers was discovered online by the Swiss hacker known as maia arson crimew on a server, run by the U.S. airline CommuteAir. The file, NoFly.csv contained more than 1.5 million entries and was found alongside other sensitive information, including personally identifying information on 1,000 CommuteAir employees.

FBI blames North Korea for $100m theft from crypto firm Horizon Bridge (Hacker News)

The U.S. Federal Bureau of Investigation (FBI) on Monday said that North Korean threat actors were responsible for the theft of $100 million in cryptocurrency assets from Harmony Horizon Bridge in June 2022. The law enforcement agency attributed the hack to the Lazarus Group (a.k.a APT38), a North Korean state-sponsored threat group that specializes in financial cyber operations.

Hack of ODIN Intelligence spills 20GB of police data (GovTech)

Hackers leaked an estimated 20GB of data stolen from ODIN Intelligence, a police software and services provider. The information is said to include “confidential police reports” with extensive personal details on individuals monitored by police and information about upcoming police operations. The leak follows a breach of ODIN’s internal servers and exposed police plans for to-be-launched raids, as well as information on suspects, victims, and convicted sex offenders.

WiFi routers can reveal 3D images of humans in their midst (VPNOverview)

Simple home Wi-Fi routers can detect and perceive the poses and positions of humans in their midst and map their bodies clearly in 3D, according to a newly published paper by researchers at Carnegie Mellon University. The researchers used AI neural networks and deep learning to create full-body images of subjects, creating possible new applications in healthcare and security, but also posing privacy risks, the paper notes.

T-Mobile hack exposes data on 37 million customers (The Security Ledger)

Telecommunications giant T-Mobile disclosed on Thursday that hackers obtained data on 37 million customers through a vulnerable API (application program interface) including customers’ names, billing addresses, emails, phone numbers, and dates of birth. The attack also revealed T-Mobile account numbers and information on the customers’ T-Mobile plans, the company said in an 8-K filing with the U.S. Securities and Exchange Commission.