OneLogin, Inc., the developers of single sign-on and identity management for cloud-based applications has announced that its servers for the US region have been hacked and accessed by a third party. As a result; encrypted information related to its password management service (OneLogin) has been stolen.
According to OneLogin’s security advisory, the unauthorized access was detected on May 31st, 2017 targeting the US data region which was successfully blocked and law enforcement and cyber security firm was also called in to investigate the matter.
Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount, said the blog post.
While the support page (available only for registered users) states that:
“All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.”
OneLogin is a single sign-on service, allowing users to access multiple sites and apps with just one unique password. These sites and apps include LinkedIn, Google Analytics, Amazon Web Services, Microsoft Office 365, Cisco Webex and Slack.
In 2013, the firm had 12 million licensed users and 700 business customers worldwide.
Currently, registered users can see the list of measures intended to reduce the risk to their data. As expected users are outraged with the incident and sharing their views on Twitter. One of the users also criticized the company’s decision to force users to sign in to see the list.
Hey @OneLogin you shouldn't have the security article behind OneLogin. Kind of hard to trust it right now. Make it publicly accessible!
— Erik Gomez (@Contains_ENG) June 1, 2017
Woof. OneLogin datacenter breach. If you're using OneLogin, it's time to generate new certs/token. #hugops all around.
— DevOps ⚡Pikachu⚡ (@usrbinpikachu) June 1, 2017
Nir Polak, CEO at Security Intelligence firm Exabeam commented on the issue and told HackRead that “This is the best example of the power of a credential-based or stolen identity attack we’ve seen in a while. Typically, a hacker steals an employee’s account credentials to access the employee’s company network and freely roam from system to system. Single sign-on services such as OneLogin are designed to let employees use only one credential to access many companies’ services. Gaining access to OneLogin’s systems is very much like stealing a master key — once you have that, you have access to all of the systems that an employee can jump into. It’s a tough situation: on the one hand, these identity manager services significantly improve security, as they improve control over passwords and account activation. On the other, as seen here, if you can break the system, that controls all but vanishes.”
If you are a OneLogin customer, make sure to “sign in” and see the list of security measures mentioned by the company. Some of the steps HackRead was able to collect from a OneLogin user and includes the following:
“Force a OneLogin Directory password reset for your users; Generate new certificates for your apps that use SAML SSO; Generate new API credentials and OAuth tokens; Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors; Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro; Generate and apply new Desktop SSO tokens; Recycle any secrets stored in Secure Notes; Update the credentials you use to authenticate to 3rd party apps for provisioning; Update the admin-configured login credentials for apps that use form-based authentication; Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps; and Replace your RADIUS shared secrets.”
This is a massive breach whose consequences will be destructive for users in the long run. Remember, there is a growing trend where hackers are stealing data and selling it on the dark web marketplaces. Right now, the only suggestion that can be given by HackRead is to keep an eye on your financial and login data.
DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.