OneLogin Password Manager Reports Data Breach, Potential Decryption of Customer Data
- Author: Toni Ryan Jun 03, 2017,
Jun 03, 2017, 1:50
'As we communicated yesterday, we recently detected that a malicious actor had obtained access to our U.S. operating region, ' Hoyos explains.
Identity management and Single Sign-On vendor OneLogin has reported an unauthorized access issue, which may have compromised customer data.
The company warns that "all customers served by our United States data center are affected; customer data was compromised, including the ability to decrypt encrypted data". Staff were not aware of the breach until seven hours later at 9am PST and it was shut down within minutes.
The company says that it is working with law enforcement and third-party investigators to find out more.
Password management provider OneLogin notified its customers on May 31 that it detected unauthorized access to user data.More news: President Trump will announce his decision on the Paris Accord Thursday
Do you use the password manager OneLogin?
What's most worrying is that while the company says it encrypts "certain data at rest", it could not rule out the possibility that the hacker also obtained the ability to decrypt the data.
"The threat actor was able to access database tables that contain information about users, apps, and various types of keys", Hoyos explained. Apps that use the Security Assertion Markup Language (SAML) SSO feature need new certificates, and new application programming interface credentials and OAuth tokens must be generated. Law enforcement and third-party security experts are now working with OneLogin to investigate the scope of the hack and identify the guilty parties involved. "We are thus erring on the side of caution and recommending actions our customers should take".
Services like OneLogin can make it easier for companies and individual users to manage multiple logins and passwords. This is not the first time a data breach has occurred at OneLogin and if lessons are learnt, it comes with a hefty cost.
More in-depth instructions for account security can be found here.