OneLogin, a San Francisco-based company that allows users to manage their login credentials to multiple sites and apps through a cloud-based platform, has reported a troubling data breach—of which the full extent of damage is still unknown. Providing single sign-on and identity management for about 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers, OneLogin plays a strong role in the corporate world; the clean-up from this breach will likely be a huge headache for thousands of businesses.
On Wednesday, May 31, 2017, OneLogin’s Chief Information Security Officer, Alvaro Hoyos, posted a short blog post that called attention to the breach. The main points communicated were that:
- Unauthorized access to OneLogin data in the US data region was detected
- OneLogin has blocked the unauthorized access
- The breach has been reported to law enforcement and they’re working with an independent security firm to figure out what happened and what the extent of impact is
- They’ve already reached out to impacted customers with recommended remediation steps
Motherboard was able to obtain the email sent to users and noted one very important fact that was omitted from the public blog post:
“Customer data was compromised, including the ability to decrypt encrypted data,” wrote OneLogin. As KrebsOnSecurity noted, “A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers.”
The remediation steps suggested in the email provided an indication of how serious this breach may be. Typically, when data breaches occur, companies will tell users to change their passwords and just keep an eye out for any suspicious activity. OneLogin’s suggestions, however, are much more invasive and time-consuming for the affected businesses. The company is telling users to generate new API keys, OAuth tokens, create new security certificates and credentials, recycle any secrets stored in OneLogin’s Secure Notes feature, have end-users update passwords—and more.
On Thursday, June 1, 2017, OneLogin updated its blog with additional details about the data breach. The review is still ongoing, but the company wanted to share new information it had received. Alvaro Hoyos wrote:
“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”
As customers scramble to put safeguards in place and protect their sensitive information, we have no doubt that we’ll be hearing more about this data breach and just how far-reaching its true effects are.