OneLogin Breach Compromised Customer Data, Ability to Decrypt Encrypted Data

A breach at OneLogin appears to have compromised customer data, including the ability to decrypt encrypted data.

A breach at OneLogin, a company that provides customers with a single sign on for logging into multiple sites and apps, appears to have compromised customer data, including the ability to decrypt encrypted data.

The company notified customers via email Wednesday that the incident stemmed from unauthorized access to one of its U.S. data centers.

“All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data,” according to the email.

The cloud single sign-on provider counts over 2,000 companies, including Conde Nast, Pinterest and Yelp, as its customers.

It’s unclear exactly what kind of customer data may have been compromised, but the company is urging administrators who use the single sign-on (SSO) feature to force a directory password reset for their users.

In addition to forcing a password reset the company is also instructing customers carry out a lengthy list of actions, including generating new certificates for apps that use SAML SSO – a standard for logging users into apps based on their sessions. Other instructions include asking customers to generate new API credentials and OAuth tokens and as well as generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.

The company is also encouraging users to update any API and OAuth credentials associated with third-party directories, such as G Suite, generate and apply new Desktop SSO tokens, recycle any secrets stored in Secure Notes, update any credentials used to authenticate to third-party apps for provisioning and update any admin-configured login credentials that may be used for form-based authentication.

Alvaro Hoyos, the company’s chief information security officer, announced the incident in a blog post late Wednesday evening.

Hoyos confirmed the company blocked the unauthorized access, reported the incident to law enforcement and is working with a security firm to determine how wide the impact was. The rest of the blog post is thin on details and includes nothing about customer data being impacted, or how some data could be decrypted.

Hoyos instead directs users to the company’s compliance page, saying the company’s investigation around the incident continues.

“While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented,” Hoyos wrote.

The breach is the biggest security hiccup for the company since last August, when it admitted an attacker managed to take advantage of a bug in its system to read notes thought to be private in its Secure Notes feature.

That incident was two-pronged. A bug in the system the company used for log storage and analytics caused all notes in Secure Notes to be stored in cleartext for one month. During that period, in an unrelated incident, an attacker successfully compromised the password of a OneLogin employee, something that allowed them access to the logging system where the notes were being saved.

Suggested articles