The short story of the GoTo/LastPass data breach
GoTo has recently announced that, according to their investigation, “a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere.” GoTo CEO Paddy Srinivasan emphasized the company’s efforts to keep customers informed and secure following the incident.
A cyber threat actor has also extracted an encryption key for a segment of the encrypted backup data. Among the affected information could be “account usernames, salted and hashed passwords, a portion of multi-factor authentication (MFA) settings, as well as some product settings and licensing information.” Following this GoTo security breach, their products have been thoroughly investigated to ensure their security and functionality during this period.
GoTo’s production systems were not impacted beyond what was previously disclosed.
GoTo-owned company LastPass also recently announced that an incident in August 2022 was more serious than previously thought. The affected data included GoToMyPC encrypted databases. While initially saying no customer data was affected, LastPass admitted in December that customer data had been compromised. The unauthorized party had accessed a third-party cloud storage service where LastPass was storing data, including account usernames, salted and hashed passwords. The affected customers’ data may contain usernames and other sensitive information.
The incident also impacted the multi-factor authentication (MFA) settings of a small subset of customers, particularly related to Rescue and GoToMyPC encrypted databases. Following this, GoTo has taken significant steps to safeguard account passwords and enhance its overall security measures. Part of this has been contacting affected customers directly to reassure them of encrypted backups and more robust authentication.
Following several past security breaches, LastPass officially separated from GoTo in May 2024 to focus more on cybersecurity. This has ensured that it protects its clients’ data with its enhanced identity management platform, ensuring that passwords will never be breached again.
What does the GoTo security breach tell you about data security?
There’s one essential takeaway from all the above: when security is not the priority, affected users are the ones who end up suffering. Digital trust and data security are essential to us here at RealVNC. We believe any remote access provider, particularly a software provider, should take them very seriously. In reality, many companies don’t put their money where their mouth is regarding additional security. Digital trust and data security are essential to us here at RealVNC.
We build our product by putting security first, adhering to our four security principles:
- You don’t have to trust RealVNC as a company to trust our software and services
- We do not record your sessions, and data cannot be decrypted now or in the future
- Every connection is treated as though it is made in a hostile environment
- The owner of the remote computer ultimately decides who can connect
Every single connection is end-to-end encrypted at up to 256-bit AES. We also have 2FA (two-factor authentication) available and strongly recommend its use.
RealVNC Connect can prove that it’s secure
We don’t just claim that we’re secure. Our remote access solution is the only one to have been audited by an independent security expert and given the all-clear. Namely, we’ve opened our doors to a comprehensive white-box security audit by Cure53. This is a much more in-depth security review than the traditional annual penetration test, with the auditors getting full access to our source code, internal API documentation, and a direct communication line to the developers. We’re very proud of the results, with no critical issues found, which only reaffirms our strong security stance. We’ll continue to work hard to maintain the same high security standards.
We’re also happy to announce that the Android version of RealVNC Server for Mobile is the first remote access app to undertake the MASA process successfully. We undertook the process for our RealVNC Mobile Server app in November 2022, working together with NCC Group, an authorized MASA lab, and a key player in the security industry. Our application flew through this assessment and gained an outstanding result: a PASS in each area on the first run.
RealVNC will continue to challenge the whole industry to take the same route of providing additional security for its products. We’ve done this at recent cybersecurity events and will continue to do so in the future.
“At RealVNC, we operate from the standpoint that no company should ever take a vendor’s word for it when they claim their software is secure, which is why we chose to complete a white-box audit with a highly regarded security consultancy to prove it.”
– Andrew Woodhouse, RealVNC Chief Information Officer
What should you do next?
Check if your software (and especially remote access) provider can show you proof of its security. And don’t just take their word for it! Ask for proof in the form of a recent independent security audit. If they can’t do that, there are alternative options out there that comply with your security requirements.
RealVNC Connect guarantees secure and reliable remote access for all. It integrates both RealVNC Viewer and Server into one unified desktop app. Its user-friendly interface and features like file transfer, redesigned toolbar, chat, multi-monitor support, and session recording make it a valuable tool for all users within your organization.
Our latest version also includes advanced features that your help desk and IT teams are sure to love. RealVNC Connect Version 8 features self-expiring session codes that expire and get replaced within two minutes, ensuring no persistent codes can be used for unauthorized access. In addition, with the tool, you will know who is connecting in, have invite-only access, and share your device with Code Connect. Ready to experience the new era of remote access? Try the latest version of RealVNC Connect today!
