Jump to content

OneLogin suffers breach—customer data said to be exposed, decrypted


CrAKeN

Recommended Posts

onelogin.png

 

Customer account-only support page warns of "ability to decrypt encrypted data."

 

OneLogin has admitted that the single sign-on (SSO) and identity management firm has suffered a data breach. However its public statement is vague about the nature of the attack.

 

An e-mail to customers provides a bit of detail—warning them that their data may have been exposed. And a support page that is only accessible to OneLogin account holders is even more worrying for customers. It apparently says that "customer data was compromised, including the ability to decrypt encrypted data."

 

OneLogin—which claims to offer a service that "secures connections across all users, all devices, and every application"—said on Thursday that it had "detected unauthorised access" in the company's US data region. It added in the post penned by OneLogin CISO Alvaro Hoyos:

 

Quote

We have since blocked this unauthorised access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorised access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.


While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.

 

It has given customers a long list of actions to protect their accounts following the attack.

 

shot.png

Tweet

 

It's unclear why it is that OneLogin has provided three different sets of information to its customers. It's possible the company was hoping to only disclose more detail to those directly affected by the attack to avoid revealing potential weaknesses that may have exposed the data in the first place. But that attempt to keep the information under wraps has clearly backfired as customers scramble to secure their accounts.

 

This is the second data breach that OneLogin has suffered within the past year. Last August it warned customers of a cleartext login bug on its Secure Notes service, after "an unauthorised user gained access to one of our standalone systems, which we use for log storage and analytics." Hoyos apologised for that particular breach. "We are making every effort to prevent any similar occurrence in the future," he said at the time.

 

Source

Link to comment
Share on other sites


  • Replies 2
  • Views 1.3k
  • Created
  • Last Reply
straycat19

Anyone who relies on someone else to maintain and protect their data is a fool.  In this case pure laziness, not wanting to take the few seconds it takes to login to a website, has exposed thousands of users and their data.  I cannot say it enough:  Security, Security, Security.  Everything else comes fourth.  Where do you keep all your login credentials?  I keep mine in an encrypted database, in an encrypted folder, on an encrypted server.  That requires three different logins that have three different username/password combinations.  Requires a little effort to login but no one is ever going to steal it and if they did they would never be able to decrypt 2048 encryption.

 

Think about your data today, and do yourself a favor, secure it.

 

OK, I'll get off my soapbox now. :)

Link to comment
Share on other sites


straycat19

OneLogin hacker swiped AWS keys, can decrypt stolen data

Companies should maintain direct control of their keys, said cybersecurity experts.

 

OneLogin is reporting its recent data breach was made possible when a hacker obtained access to a set of Amazon Web Service keys through a third-party vendor. With this, the hacker was enabled entry into its U.S. data center compromising all its records.

 

The password management firm said the stolen keys gave the intruder access through the AWS API, something industry experts say could have been averted if OneLogin maintained control of its keys. There could possibly be a design flaw, some say.

 

“This risk could have been averted,” said Simon Hunt, EVP and chief technology officer at WinMagic. "Maintaining exclusive enterprise control of a business's keys isn't a nice-to-do.

 

Emerging hypervisor vulnerabilities create a real security gap, and cloud-based key management solutions can leave keys open to theft or transfer of authority."

 

John Bambenek, Fidelis Security's threat systems manager, said what happened to OneLogin is not in line with what a password manager should be. Nothing, he said, should be recoverable.

 

"There is probably a design problem here," he said.

 

OneLogin said the first few illegal entries into the system took place on May 31 at 2 a.m. PST. These initial forays were described by OneLogin as reconnaissance missions, but were quickly followed up by the real attack. This was detected six hours later and OneLogin was able to quickly staunch the attack and block the AWS keys.

 

“A silver lining in the OneLogin breach is that they were able to identify the suspicious database activity quickly and take the appropriate action to arrest the threat,” said Ken

 

Spinner, vice president of field engineering at Varonis Systems. "Many organizations simply don't monitor critical data and undoubtedly suffer breaches that go undiscovered for years – like Yahoo! – or never get discovered at all."

 

Bambenek credited OneLogin with quickly noticing and reacting to the issue, but added it is a mistake to use a third-party vendor as that is the prime attack point for most cybercriminals citing what happened with Target as an example.

 

The results of the attack were quite serious with OneLogin admitting a host of sensitive data was accessed.

 

“The threat actor was able to access database tables that contain information about users, apps and various types of keys,” the company stated. "While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data."

 

Bambenek said the question now is what were the cybercriminals able to get away with. "We will have to see if they were able to offline the data," Bambenek said, noting this is not an easy task to do in the AWS environment.

 

The company is not saying how many of its customers were affected by the incident. An up-to-date figure on the number of customers served by OneLogin is not available, but in a 2013 press release the company noted it had just signed its 12 millionth customer, including many at the corporate level.

 

“Businesses really need a solution that grants them full and sole control of their encryption keys at all times, so that keys and data can never be exposed to government agencies, privileged insiders, or hackers during a breach,” Hunt said.

 

Article

Link to comment
Share on other sites


Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...