Even security companies can be hacked.
OneLogin, the password management service, has fallen victim to an embarrassing cyber attack – proving that even security companies are at risk of breaches.
Encrypted information has reportedly been accessed by the perpetrators of the data breach, with all customers served by OneLogin’s US data centres potentially set to be affected by the attack. OneLogin has not yet made it clear what data has been accessed, giving limited details in a blog.
“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.”
Although it remains to be seen what was stolen and how the hackers breached company systems, Nir Polak at Exabeam said that the data breach is “the best example of the power of a credential-based or stolen identity attack we’ve seen in a while.”
“Typically, a hacker steals an employee’s account credentials to access the employee’s company network and freely roam from system to system. Single sign-on services such as OneLogin are designed to let employees use only one credential to access many companies’ services,” explained Polak.
“Gaining access to OneLogin’s systems is very much like stealing a master key — once you have that, you have access to all of the systems that an employee can jump in to. It’s a tough situation: on the one hand, these identity manager services significantly improve security, as they improve control over passwords and account activation. On the other, as seen here, if you can break the system, that control all but vanishes.”
As a password manager, the information up for grabs could prove extremely lucrative to the hackers.
“An en-mass data theft at OneLogin has earned the hacker a significant haul of customers’ account credentials, including plain text access to passwords. This data can either be sold on or directly used for further breaches and theft,” said Matt Walmsley at Vectra Networks.
However, OneLogin is in full damage limitation mode, having already “reached out to impacted customers with specific recommended remediation steps.” These remediation steps include forced password resets, generating new security credentials and recycling secrets stored in OneLogin’s secure notes.
“We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened,” chief information security officer Alvaro Hoyos said on the company’s blog.
“We are actively working to determine how best to prevent such an incident from occurring in the future.”
OneLogin markets itself as a single sign-on service, allowing users to access multiple apps and sites with just one password. Integrated apps and sites to OneLogin services include Amazon Web Services, Microsoft Office 365, Slack, Cisco Webex, Google Analytics and LinkedIn.