Global password managing service provider OneLogin has confirmed it has been hit by a data breach that allowed hackers to decrypt encrypted information.
The OneLogin data breach has since been contained and the company is now advising affected clients on how to minimise damage caused by the data breach.
OneLogin's online Password Manager service allows enterprises, software providers and app vendors log into various cloud services through a single gateway. The gateway is protected by encryption and helps enterprises protect their identities and confidential data at the same time.
On Wednesday, the company discovered an unauthorised access on its server which not only decrypted encrypted information but also made away with precious customer data. The company hasn't confirmed how much data was compromised or how many clients have been affected so far.
“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount,” said Alvaro Hoyos, chief information security officer at OneLogin via a blog post.
“While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented,” he added.
Aside from changing their passwords, OneLogin has advised affected clients to generate new API keys and OAuth tokens, recycle any data stored in OneLogin’s Secure Notes feature and create new security certificates. According to Motherboard, OneLogin's message to affected clients carried a “Customer data was compromised, including the ability to decrypt encrypted data" header.
According to Nir Polak, CEO at security intelligence firm Exabeam, password manager services like OneLogin offer hackers the opportunity to infiltrate multiple cloud-based accounts by getting past a single entry point. Once they get past basic encryption hurdles, they can access a lot of data without putting in too much effort.
"Single sign-on services such as OneLogin are designed to let employees use only one credential to access many companies' services. Gaining access to OneLogin’s systems is very much like stealing a master key — once you have that, you have access to all of the systems that an employee can jump in to," Polak said.
"It’s a tough situation: on the one hand, these identity manager services significantly improve security, as they improve control over passwords and account activation. On the other, as seen here, if you can break the system, that control all but vanishes," he added.
In a recent update to its blog post, OneLogin has explained how its server was breached by unnamed hackers:
"Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it," the company said.
The company also said that the hackers in question were able to access "database tables that contain information about users, apps, and various types of keys." Since such data is always encrypted, OneLogin has reason to believe that the hackers could decrypt encrypted data. OneLogin has confirmed it will share more details on the data breach in the coming days.