San Francisco based OneLogin, which provides single sign on and identity management services for companies and app vendors, recently notified its users that it has discovered an unauthorized access to its data.
The idea behind OneLogin is for a user to have one username and password that it can use through OneLogin’s platform for all of the user’s apps. This makes sign on easy for users, but means all of the user’s apps can be compromised if the single sign on authentication is compromised. This risk is exactly what happened in this incident.
In the notification, OneLogin provided users with steps they can take to protect themselves following the incident, including generating new API keys and OAuth tokens, creating new security certificates, credentials and secrets and change their password.
Even more concerning is the report from KrebsOnSecurity that the intrusion occurred through AWS API and, according to OneLogin, the intruder was able to “access database tables that contain information about users, apps and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”
If this is accurate, it is very concerning and shows the sophistication of the intrusion, which should be a strong warning to all of us. Hopefully, we will learn more about the mechanics of the intrusion to assist others from becoming a victim as well.