Password manager OneLogin hacked, exposing sensitive customer data

[Richard Forno <rforno () infowarrior org>]

Password manager OneLogin hacked, exposing sensitive customer data

http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/

UPDATED: The company said that hackers have 'the ability to decrypt encrypted data'.

 
By Zack Whittaker for Zero Day | June 1, 2017 -- 15:47 GMT (08:47 PDT) | Topic: Security

Password manager and single sign-on provider OneLogin has been hacked.

In a brief blog post, the company's chief security officer Alvaro Hoyos said that it was aware of "unauthorized access 
to OneLogin data in our US data region," and that it had reached out to customers.

Hoyos said that the company had blocked the unauthorized access after the breach and is working with law enforcement.

The blog post initially lacked detailed information about the incident, although the post had omitted that hackers had 
stolen sensitive customer data -- a point that the company had instead only mentioned in an email sent to customers, 
seen by ZDNet.

"OneLogin believes that all customers served by our US data center are affected and customer data was potentially 
compromised," the email read.

Later in the day, the company said in an update: "Our review has shown that a threat actor obtained access to a set of 
[Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller 
service provider in the US."

The company confirmed that the attack appears to have started at 2am (PT), but staff were alerted of unusual database 
activity some seven hours later, who "within minutes, shut down the affected instance as well as the AWS keys that were 
used to create it".

"The threat actor was able to access database tables that contain information about users, apps, and various types of 
keys," the company said.

The company added that although it encrypts "certain sensitive data at rest," it could not rule out the possibility 
that the hacker "also obtained the ability to decrypt data".

But a spokesperson did not say what kind of data is and isn't encrypted. We have asked for clarity, and will update 
when we hear back.

Some had questioned earlier in the day how the hackers had access to customer data that could ultimately be decrypted.

"Am I the only 1 to find it disturbing OneLogin had a decryption method for customer data accessible enough to be 
grabbed via breach?" said one user on Twitter.

The company has advised customers to change their passwords, generate new API keys for their services, and create new 
OAuth tokens -- used for logging into accounts -- as well as to create new security certificates. The company said that 
information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be 
decrypted.

The company also hasn't said how many customers were affected.

According to its website, dozens of major multinationals, including ARM, Dun & Bradstreet, The Carlyle Group, Conde 
Nast, and Dropbox (which a spokesperson disputed in an email), are customers.

OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It's 
thought that the company has millions of users serving more than 2,000 companies in dozens of countries, according to 
CrunchBase.

The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web 
Services, Microsoft's Office 365, LinkedIn, Slack, Twitter, and Google services.

It's the second such breach in as many years. Last August, the company warned users that its Secure Notes service had 
been accessed by an "unauthorized user," but it denied that any customer data had been compromised.

Updated at 8pm ET: Additional details from the company.

_______________________________________________
BreachExchange mailing list sponsored by Risk Based Security
BreachExchange () lists riskbasedsecurity com

If you wish to Edit your membership or Unsubscribe you can do so at the following link:
https://lists.riskbasedsecurity.com/listinfo/breachexchange