Hackers break into centralized password manager OneLogin

Posted June 03, 2017

In a later update, OneLogin revealed that the hacker "obtained access to a set of AWS (Amazon Web Services) keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the United States". OneLogin staff caught wind of the unusual database activity seven hours later - at around 9 a.m. PST and shut down the attack "within minutes". Services integrated into OneLogin include DropBox, Amazon Web Services, Office 365, Salesforce, Sharepoint, Slack and Zendesk.

The company says in its announcement that it has contacted affected users.

The impact of the attack is not yet known, but OneLogin has millions of users so the implications are pretty huge. A problem was discovered with LastPass' browser extension in March, and now OneLogin has suffered a major data breach.

OneLogin hasn't revealed anything about how the breach occurred, or whether hackers made off with just customer data or actually passwords. In a follow-up, Hoyos added that this party did so by obtaining a set of AWS keys and used them to gain access to the AWS application programming interface via another service provider. As you would expect, OneLogin does encrypt all of its sensitive data but at this time the company "cannot rule out the possibility" that the hacker also made off with the ability to decrypt data. During the security breach, private information about users, apps, and various keys may have been obtained by the still unknown hackers. "We want our customers to know that the trust they have placed in us is paramount", Hoyos wrote.

OneLogin describes its investigation into the attack as 'ongoing, ' and including the involvement of independent third-party security experts and law enforcement.

There are a number of potential vectors by which an attacker could have breached OneLogin's security.

More in-depth instructions for account security can be found here. OneLogin claims that they encrypt sensitive data, however they also state that it's possible the intruder also gained access to the ability to decrypt it, but they also may not have.