Security Bulletin: Goto / LogMeIn Security Breach

If you or your organization is using LastPass or other Goto services, please contact Macktez right away so we can review your security profile and address any vulnerabilities.

The full context of a 2022 security breach at Goto — the parent company of LastPass, LogMeIn, and other services — continues to broaden in scope. In addition to the serious breach of LastPass reported in November and December, this week Goto revealed that encrypted backups related to certain services, including LogMeIn Central, were removed from Goto storage along with “an encryption key for a portion of the encrypted backups.”

Macktez does not use LastPass, nor does it manage any backups through LogMeIn Central. But Macktez has used LogMeIn as a tool to remotely access client computers for years, so it is important that we consider the implications of this service being mentioned in Goto’s incident response.

After review, we are confident that no client workstations are vulnerable to unauthorized access through Macktez’s LogMeIn account.

Our threat assessment is based on the following:

– All LogMeIn users on Macktez’s account — including clients who need remote access to their own workstations — have multi-factor authentication (MFA) enforced as an added protection against a password breach.

– Any remote workstation credentials saved by LogMeIn users are saved only locally, so would not have been exposed in Goto’s security breach.

– Goto has forced all LogMeIn users to update their Goto password and MFA this week out of an abundance of caution, mitigating any possible exposure of passwords or MFA keys.

Goto’s incident response and discovery may not yet be finished, and we will continue to monitor the situation closely. But based on our specific use of Goto’s services and the security precautions mentioned above, we consider Macktez’s position, and access to our clients’ workstations, to be secure.