by Alfred Ng
June 2, 2017
OneLogin has suffered one big breach.
The password management company announced Wednesday that its data centers in the US had been hacked.
"OneLogin believes that all customers served by our US data center are affected and customer data was potential compromised," the company wrote in an email to its customers.
Password managers have grown in popularity as people try to keep up with the many different passwords they have for their multitude of accounts online.
And those passwords can be complicated: You're often asked to create each with at least 16 characters with various combinations of characters. Managers serve as a master key and store all that info as either an app or a browser extension, helping you to log in with hard-to-crack passwords. Unfortunately, because they hold a person's every password, managers are prime targets for attacks. A big case in point -- that LastPass breach in 2011.
Alvaro Hoyos, OneLogin's chief information security officer, said the company blocked unauthorized access following the breach and is working with law enforcement and an independent security firm to figure out how the hack occurred. It has not revealed any details on how many customers were affected.
The attackers were able to break in after getting a set of Amazon Web Services keys and breaching a smaller service provider that worked with OneLogin, Hoyos said. They found that the attack started on May 31 at about 2 AM PT, and ended after staff noticed the breach seven hours later.
The company urges that its customers generate new keys for OAuth and security tokens for all their accounts, including passwords. OAuth exploitation was how up to 1 million people suffered a phishing attack through Google Docs last month without ever typing in their passwords.
OneLogin also recommends that any secrets stored in its Secure Notes feature be deleted. The thieves behind the breach are able to "decrypt encrypted data," according to OneLogin's email to its customers.
The Secure Notes feature was breached before, in August 2016, according to the company. Despite using multiple levels of encryption, a bug in Secure Notes allowed hackers to break in and view those notes in the logging system.
The investigation into the hackers behind that breach is ongoing, Hoyos said.