OneLogin Hacked: ID Manager Database Breached, User Information Compromised

OneLogin, an online platform for managing logins to sites and services, experienced a database breach in which customer information was compromised and encrypted data has been put at risk of being decrypted.

OneLogin disclosed the breach Wednesday when it experienced “unauthorized access” to one of its U.S.-based data centers. The company said an investigation into the breach is ongoing, but was sparing on details.

Read: Payday Loans Online Data Breach: Personal Information From 250,000 People Stolen From Company

“We have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented,” OneLogin chief information security officer Alvaro Hoyos wrote in a blog post.

Hoyos said the company has reported the breach to law enforcement and is “working with an independent security firm” to determine the extent of the attack. “We want our customers to know that the trust they have placed in us is paramount.”

In emails sent to customers affected by the breach and obtained by Motherboard, OneLogin offered a more complete picture of just how serious the security lapse is. “Customer data was compromised, including the ability to decrypt encrypted data,” the email notes.

OneLogin counts 2,000 companies in 44 countries, more than 300 app vendors and more than 70 software-as-a-service providers among its customers. The company provides a single sign-on capability that allows users to manage multiple accounts from a single platform.

Read: HipChat Hacked: Usernames, Passwords And Messages Stolen From Popular Communications App

The message from the company also provided customers with a list of steps to take to minimize the amount of damage done by the breach. OneLogin encouraged users to generate new API (application program interface) keys and OAuth (open authorization) tokens, create new security certificates and update passwords.

OneLogin also advised users to recycle any important information stored in its Secure Notes feature.OneLogin’s support page for the feature says Secure Notes is designed to “securely store information such as license keys and firewall passwords.”

Last year, OneLogin experienced a breach that allowed an intruder to access Secure Notes in plaintext. In this case, it appears those Secure Notes and other information may again be at risk, as the company notes encrypted user information could be decrypted.

“The latest OneLogin breach should not surprise anyone,” Ori Eisen, a cybersecurity expert and founder and CEO of identification management company Trusona, told International Business Times.

Eisen noted that static usernames and passwords, whether entered manually or trusted to a single sign-on service like OneLogin, are insecure because they can be compromised at almost any time.

“The problem with a solution like OneLogin is you’re relying on one password to protect all of your passwords. As soon as that gatekeeper password is breached, you’re putting everything else at risk.” Eisen suggested organizations need to “move beyond static usernames and passwords as a way to protect information” to truly be safe.