OneLogin breached, customers’ Secure Notes compromised
San Francisco-based OneLogin, which offers single sign-on and identity management for cloud-based applications and claims 1400+ enterprise customers in 44 countries, has suffered a data breach.
The attacker has managed to gain access to a company system that allowed him to view some customers’ unencrypted Secure Notes.
OneLogin advises users to use the feature to “securely store information such as license keys and firewall passwords.”
“These notes are stored in our system using multiple levels of AES-256 encryption,” OneLogin’s CISO Alvaro Hoyos explained, but added that a bug caused these notes to be visible in their logging system prior to being encrypted and stored in their database.
The attacker gained access by using a OneLogin employee’s password for that system. So far it seems that he accessed the system on July 2, 2016, but it’s possible he did so even earlier.
In any event, the potentially affected “small subset” of customers were notified of the intrusion, and have been advised to consider the information stored in their Secure Notes as compromised.
The company has called in outside cybersecurity experts to help with the investigation and remediation.
They have plugged the bug that was exploited in this attack, reset all passwords in external systems that don’t support SAML or allow alternate forms-based authentication, and have locked down access to the log management system by allowing only SAML-based authentication and only from a limited set of IP addresses.
The company will be sending out additional notifications if the investigation discovered that more customers have been affected by the breach.