OneLogin has confirmed that a bug has allowed a hacker to view some of its customers' encrypted Secure Notes.
Alvaro Hoyos, chief information security officer, said in a statement that, “OneLogin has a feature called Secure Notes, which end users can use to store information. These notes are stored in our system using multiple levels of AES-256 encryption. A bug caused these notes to be visible in our logging system prior to being encrypted and stored in our database.”
Hoyos continued, “We subsequently discovered evidence that an unauthorised user gained access to this system by compromising a OneLogin employee's password for that system. We have no evidence that any other OneLogin system or user account was compromised.”
It is believed that the breach has affected only a minority of users - the company said that based on activity in the log management system - the intruder was able to view notes which were updated during the period of 25/7/2016 to 25/8/2016.
Security staff at the single-login cloud identity management cloud provider said no other systems at the company were affected.
In a bid to reassure customers, Hoyos concluded in the statement: “We take this matter very seriously and have retained an independent cyber-security firm to assist in analysing the issue fully and make sure no stone is left unturned. We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of this incident.”
The company has not shared the events which led up to the employee's password to be shared with an intruder. It is not clear what happened yet.
Ross Brewer, vice president and managing director of EMEA, LogRhythm told SCMagazineUK.com: “Data breaches, both old and new, are continuing to dominate our headlines. Hackers were able to view OneLogin notes in clear text for over two months before the breach was identified. The biggest concern is that hackers' tactics are becoming more and more sophisticated and breaches are almost inevitable.
“Businesses are wising up to the fact that hackers will get in, but they need to make sure they have the right tools in place to stop them before any damage has been done. Businesses need to shift their investments to full network monitoring and response capabilities so that they can identify breaches the moment they happen. Indeed, security intelligence and rapid detection is key to preventing large gaps between breach and detection, such as these. With the EU GDPR's breach notification window pending, businesses are under growing pressure to spot and disclose a breach the moment it happens, and this can only be done with a deep understanding of network activity.”Justin Harvey, chief security officer at Fidelis Cybersecurity, told SC, “It's clear that no company is immune from a data breach and with cloud-based third party applications being targeted, the scope for damage is vast. This is exactly why the security industry is moving to a detection versus protection standpoint, where it's just as important to identify and expel an attacker as it is to protect the corporate network. With many companies likely affected by these latest breaches, they need to take note of this shift and build their defences accordingly.”