OneLogin has admitted that it has suffered a security breach that enabled “unauthorized access to OneLogin data in our US data region”.
In a brief company blog post, Alvaro Hoyos, chief information security officer (CISO) at OneLogin, said that since the breach, the firm has “blocked this unauthorised access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident”.
“While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented,” he added.
In a support page on OneLogin's website, the company added that “customer data was compromised, including the ability to decrypt encrypted data”.
The company advised users to force a OneLogin directory password reset for users, generate new certificates for apps that use SAML SSO and create new API credentials and OAuth tokens, as well as generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors, among other things.
OneLogin was hit by a security breach last year. SC Media UK reported then that a bug allowed a hacker to view some of its customers' encrypted Secure Notes after an unauthorised user gained access to one of its standalone systems, which it uses for log storage and analytics. Hoyos added at the time that the company was “making every effort to prevent any similar occurrence in the future”.
James Maude, senior security engineer at Avecto, told SC that given that it has been reported that customer data was compromised and could be decrypted, “this is a very worrying incident”.
“The fact that OneLogin positions itself as ‘Secure Access for Every User, Every App, Every Device' means that the breach, no matter how large, could have serious consequences for those concerned,” he said.
Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told SC Media UK that all OneLogin customers “should urgently make a complete and updated inventory of all credentials and authentication systems to which OneLogin has, or could have, access to, and take all reasonable mitigation measures as if these systems have been breached”.
Ondrej Kubovič, security specialist at ESET, told SC Media UK that if some of the admin information (logins, passwords, etc.) have been leaked, this could pose a risk to all the systems or networks which they were protecting. “Attackers can misuse the stolen information to gain access to such networks, extract sensitive information, dox victims or push malware of their choosing. However, this is just a speculation as we do not know, who stands behind the attack or what was their motivation and aim,” he said.
Javvad Malik, security advocate at AlienVault, said that enterprises should increase monitoring across all platforms looking for login attempts from unknown sources or in an irregular manner. “It should also look to conduct behavioural analysis of internal traffic to try and determine if there is unusual activity.”“The attraction of hitting a password manager for attackers is huge, as it readily gives access to multiple login details across many services,” he said. ”Consolidated service providers need to remain vigilant against and deploy strong threat detection and response capabilities.”