Username and password on blue background with silhouette of hand

Everything You Should Know about the OneLogin Data Bleach

Jun 27, 2017

This is an article about the recent hack of the popular password manager OneLogin. We will briefly examine the impact this might have had on its users.

In a blog post, the chief security officer of OneLogin Mr. Alvaro Hoyos, said they were aware of unauthorized access to their data in the US data region. Following this, the company had reached out to customers to inform them.

He added that the company had managed to block the unauthorized access after the bleach and was cooperating with law enforcers to try to seize the criminals.

Security Breach

Initially, the blog post was very short on details. For instance, the post did not mention that sensitive customer data had been obtained during the hack, which the company had only mentioned in the email they sent to their customers.

The email said that OneLogin believed the breach had affected all of their US customers and that all their sensitive data had been compromised.

In an update, the company said that the hacker had obtained access to Amazon Web Service keys and used the keys to gain access to an AWS API from an intermediate host with a smaller service provider within the US.

OneLogin confirmed that the attack began at 2 am (PT), but staff only realized unusual database activity a few hours later. Within a few minutes of realizing this, they shut down the system and all affected AWS keys used to create the hack.

According to the company, the hacker could access the database tables containing all information about users, the various types of keys, and apps. OneLogin added that although most of their data was encrypted, they could not rule out that the hacker may have obtained a way to decrypt it. However, the spokesperson did not clarify which type of data is encrypted and which is not.

People Have Some Hard Questions

Some people want the question of how hackers accessed customer data that could be decrypted. For instance, they wondered how OneLogin could have encrypted data and made the decryption method accessible enough for hackers to access it.

For now, OneLogin advises customers to change their passwords, create new OAuth tokens, and generate new API keys for their services. Additionally, it is advising customers to create new security certificates. The company added that data used by IT administrators, stored in the Secure Note feature and used in storing important network passwords could be decrypted.

How Many Were Affected

The company did not give figures on how many of its customers the breach affected. However, on its site, it serves some of the largest companies on earth, including Dun & Bradstreet, ARM, Conde Nast, and the Carlyle Group. However, Dropbox has denied they are a customer of OneLogin.

How Does OneLogin Work?

OneLogin lets corporate users of its service gain access to multiple sites, web applications, and services using a single password. The company is estimated to serve millions of users in over 2,000 countries in dozens of countries around the world.

With a single sign-in feature, it integrates hundreds of third-party services and apps such as Office 365, LinkedIn, Slack, Twitter, Google, and Amazon Web Services.

This is the second time the company is suffered from a major hack of their system in two years. In August of 2016, it warned users that someone had accessed to its Secure Notes service. However, it denied that it had lost any customer data because of the hack.

How will It Proceed from Here?

One Login said that they were working with a security firm to determine how the hack occurred. In addition, they said they wanted to verify how extensive the leak had been. They also added that they were working on a solution on how to prevent a similar hack in the future. The company says it cannot divulge much else because law enforcement is still investigating the incident.

OneLogin is by no means the only company in the US that offers the single sign-on feature. However, that is not to suggest that other companies have also been hacked. However, it does mean that other companies should take precautions when dealing with customer data. The prospect of getting access to so many high-value accounts with one hit makes them a prime target.