LastPass' parent company GoTo (formerly LogMeIn) has updated its inсident response report to say that a threat actor stole encrypted backups and an encryption key for a portion of that data as part of a 2022 LastPass breach that also impacted GoTo.

“Our investigation to date has determined that a threat actor exfiltrated encrypted backups from a third-party cloud storage service related to the following products: Central, Pro, join.me, Hamachi, and RemotelyAnywhere. We also have evidence that a threat actor exfiltrated an encryption key for a portion of the encrypted backups,” IT management software firm said.

The compromised information may include account usernames, salted and hashed passwords, a portion of Multi-Factor Authentication (MFA) settings, as well as some product settings and licensing information. In addition, while Rescue and GoToMyPC encrypted databases were not exfiltrated, MFA settings of a small subset of their customers were impacted.

The company said it found no evidence that other GoTo products or any of its production systems were affected.