Identity Manager OneLogin Has Suffered a Nasty Looking Data Breach

The company’s public blog post is thin on details, but a list of mitigations sent to users paints a much more worrying picture.

|
Jun 1 2017, 9:13am

There is always, of course, a slight irony when companies focused on providing security for their customers suffer a data breach.

On Wednesday, OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced it had suffered some form of breach. Although it's not clear exactly what data has been taken, OneLogin says that all customers served by the company's US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take.

"Today we detected unauthorized access to OneLogin data in our US region," the company wrote in a blog post.

Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information.

"Customer data was compromised, including the ability to decrypt encrypted data," according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message.

The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be.

According to copies of those steps, users are being told to generate new API keys and OAuth tokens (OAuth being a system for logging into accounts); create new security certificates as well as credentials; recycle any secrets stored in OneLogin's Secure Notes feature; have end-users update their passwords, and more.

"Dealing with aftermath," one customer told Motherboard. "This is a massive leak."

OneLogin did not respond to a request to clarify what sort of customer data has been stolen.

"We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident," the post added.

The lesson: It's always worth remembering that when a service aggregates the ability to log into multiple apps or sites at once, it is creating a very juicy target for hackers. In some ways, it can be the digital equivalent of putting all, or at least a lot, of your eggs in the same basket. With security, there is always a tradeoff with efficiency and convenience; it's up to you what sort of balance you want to strike.

Subscribe to Science Solved It, Motherboard's new show about the greatest mysteries that were solved by science.