Friday 9 June 2017

Using OneLogin Password Manager? You Are Definitely At A Greater Risk !!!

Are you using OneLogin password manager? If yes, then immediately change all your account passwords right away.

Customer data residing in password management service OneLogin was compromised when a “malicious actor” accessed information on keys used for encryption, the firm reports. ZDNet reported that the company told users, "all customers served by our data center are affected and customer data was potentially compromised." Although the company did not provide many details about the nature of the cyberattack, the statement released by the firm suggest that the data breach is extensive.

Well, this isn't the first time a password manager has faced a hack. Popular tool LastPass was hacked in 2015. And OneLogin faced a different hack of one aspect of its service last year.

How did the attack took place?

OneLogin, which aims at offering a service that "secures connections across all users, all devices, and every application," has not yet revealed potential weaknesses in its service that may have exposed its users’ data in the first place.

The attack occurred on May 31 around 2am PST (09:00 GMT), according to OneLogin. Staff were not aware of the breach until seven hours later at 9am PST and it was shut down the affected instance as well as the AWS keys that were used to create it within minutes. Later in the day, the company said in an update: "Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US."

What type of information was stolen?

Although it is not clear exactly what data has been stolen in the hack, a detailed post on a support page that is accessible to customers only, apparently says that all customers served by the company's US data centre are affected, whose data has been compromised though there are no traces of any exact number of counts here.

OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It's thought that the company has 12 million users serving more than 2,000 companies in dozens of countries. The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft's Office 365, LinkedIn, Slack, Salesforce, SharePoint, Zendesk, Twitter and Google services.

It is said that, this threat actor was able to access database tables that contain information about users, apps, and various types of keys. It encrypts certain sensitive data at rest, it could not rule out the possibility that the hacker also obtained the ability to decrypt data.

What is OneLogin doing in this scenario?

OneLogin has blocked the unauthorized access to its data centre and is actively working with law enforcement and security firm to investigate the incident and verify the extent of the impact.


"We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident," the company's chief security officer Alvaro Hoyos said.
"We are actively working to determine how best to prevent such an incident from occurring in the future."

What should you do now?

First of all, change passwords for all your accounts that you have linked with OneLogin.

The company has given customers an extensive list of actions to do to protect themselves and minimise the risk to their data, which includes:
  • Forcing a password reset for all of its customers.
  • Create new security credentials, OAuth tokens and certificates for apps and websites.
  • Recondition secrets stored in OneLogin's secure notes.
For any other queries, OneLogin customers can contact the company at security-support@onelogin.com

It's the second such breach in as many years. Last August, the company warned users that its Secure Notes service which they used for log storage and analytics has been accessed by an "unauthorized user" to one of the company's standalone systems.

No comments: