View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
June 1, 2017updated 02 Jun 2017 3:29pm

OneLogin data breach: Encrypted info at risk following hack on password manager

Even security companies can be hacked.

By Ellie Burns

OneLogin, the password management service, has fallen victim to an embarrassing cyber attack – proving that even security companies are at risk of breaches.

Encrypted information has reportedly been accessed by the perpetrators of the data breach, with all customers served by OneLogin’s US data centres potentially set to be affected by the attack. OneLogin has not yet made it clear what data has been accessed, giving limited details in a blog.

“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.”

Although it remains to be seen what was stolen and how the hackers breached company systems, Nir Polak at Exabeam said that the data breach is “the best example of the power of a credential-based or stolen identity attack we’ve seen in a while.”

“Typically, a hacker steals an employee’s account credentials to access the employee’s company network and freely roam from system to system. Single sign-on services such as OneLogin are designed to let employees use only one credential to access many companies’ services,” explained Polak.

“Gaining access to OneLogin’s systems is very much like stealing a master key — once you have that, you have access to all of the systems that an employee can jump in to. It’s a tough situation: on the one hand, these identity manager services significantly improve security, as they improve control over passwords and account activation. On the other, as seen here, if you can break the system, that control all but vanishes.”

onelogin data breach

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

As a password manager, the information up for grabs could prove extremely lucrative to the hackers.

“An en-mass data theft at OneLogin has earned the hacker a significant haul of customers’ account credentials, including plain text access to passwords. This data can either be sold on or directly used for further breaches and theft,” said Matt Walmsley at Vectra Networks.

However, OneLogin is in full damage limitation mode, having already “reached out to impacted customers with specific recommended remediation steps.” These remediation steps include forced password resets, generating new security credentials and recycling secrets stored in OneLogin’s secure notes.

“We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened,” chief information security officer Alvaro Hoyos said on the company’s blog.

“We are actively working to determine how best to prevent such an incident from occurring in the future.”

OneLogin markets itself as a single sign-on service, allowing users to access multiple apps and sites with just one password. Integrated apps and sites to OneLogin services include Amazon Web Services, Microsoft Office 365, Slack, Cisco Webex, Google Analytics and LinkedIn.

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.