Please fill in the form below to subscribe to our blog

OneLogin – When Password Storing Goes Wrong

June 15, 2017

OneLogin, a company that provides single sign-on capabilities to safely store passwords of over 23 million users including 2,000 businesses, has suffered a compromise that included the ability to decrypt customer data. In a recent blog, the company revealed that an attack occurred May 31st at 2 am and was identified by a staff member around 9 am. Through that attack, sensitive information such as user information: passwords and emails, various keys from companies and login credentials for a slew of cloud applications were potentially compromised. In the OneLogin blog post, it was stated that they “…cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.” And according to the email sent out after the breach, customers were instructed on steps they should take to proactively prepare themselves. They were advised to force a OneLogin Directory Password Reset for end users, update credentials on 3rd party apps for provisioning and to do numerous other things. The email also included further updates and information.

The company has contacted the authorities and enlisted the help of a third party cyber security firm to discover how the breach happened and understand the impact of it. They found that a “threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediates host with another smaller service provider in the US.”

How Could This Have Happened?

The breach occurred when the attacker acquired highly sensitive keys for its Amazon-hosted cloud instance from an intermediate host. Even though the company uses intrusion detection to spot threats as they occur, the use of this key went unnoticed. In a ZDNet phone interview with Alvaro Hoyos, the Chief Information Security Officer for OneLogin, he stated that there was no master key to obtain customer data and that the hackers gained access through an authorized Amazon Web Services key, turning into a key for their “front door.”

The Damage Occurred

Even though most passwords and secure notes were encrypted, some data was still compromised. Less sensitive data such as email addresses, job titles and office locations were not encrypted and became easy gatherable information.

The Cons of Storing Passwords in the Same Place

It is bad cyber hygiene for passwords to repeat from platform to platform and they should always be difficult to guess. Because of this, companies like OneLogin are usually a no-brainer way to store and keep track of passwords. But using this method places all your eggs in one basket. David Mytton, the chief executive of the London-based Server Density Limited believes that this data breach will confirm suspicions of using web services or cloud data centers. He also stated that “Nothing is 100% secure and running your own single sign-on system is probably more risky but at least it’s isolated to your own system. The issue is not just a breach of OneLogin itself but the fact they store credentials to log into so many systems for so many customers.” One customer spoke to Fortune about the breach, “This is a catastrophe and the risk all the cloud naysayers were warning us about.”

Future Preparation

Despite the lack of crisis communication at the beginning, there are new security measures being put in place within the company. Over a period of time, more data will become encrypted, they will be investing in better monitoring systems and more technical support staff will be added. OneLogin will also be investigating their ability to encrypt and decrypt and will look for a better way to manage their keys.

A lack of password protection perpetuates the cycle of data theft. In this instance, one of the major password management systems became compromised. This is a sentiment that cyber criminals are strategic and are ever evolving their efforts. Every organization and individual needs to stay cyber aware. Update technology and exhaust all resources to protect personal information.

What other methods of password protection do you use, besides management applications?

Tweet us at @ID_Agent!