OneLogin hack exposed sensitive US customer data and ability to decrypt data

OneLogin, an identity management company which provides a single sign-on platform for logging into multiple apps and sites, was hacked. US customer data was potentially compromised,“including the ability to decrypt encrypted data.”

The company, which claims “over 2000+ enterprise customers in 44 countries across the globe trust OneLogin,” announced the security incident on May 31. It was short on details, primarily saying the unauthorized access it detected had been blocked and law enforcement was notified.

You wouldn’t know a breach even happened if you browsed the company’s Twitter feed, but affected customers received an email which purportedly stated, “On Wednesday, May 31, 2017, we detected unauthorized access to OneLogin data in our US operating region. At this time, OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised.”

Yet the support page referenced in the email, a page which can only be viewed by customers logging in, allegedly added, “All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.”

The support page goes on with a extensive list of “required actions” on the part of affected customers.

• Generate new certificates for your apps that use SAML SSO.
• Generate new API credentials and OAuth tokens.
• Generate new directory tokens.
• Generate new Desktop SSO tokens and credentials.
• If you replicate your directory password to provisioned applications (using the SSO Password feature), force a password reset for your users.
• Recycle any secrets stored in Secure Notes.
• Update the credentials you use to authenticate to 3rd party apps for provisioning.
• Update the admin-configured login credentials for apps that use form-based authentication.
• Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps.
• Replace your RADIUS shared secrets.

OneLogin later updated its post about the latest security incident, saying the facts are subject to change as the incident is investigated, but revealed the method of attack.

Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.

As for customer impact, OneLogin wrote:

The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.

The breach is an example of why some people advise against using a cloud-based single sign-on service. It may be convenient to login once, since the service holds credentials to other cloud apps and sites, but why wouldn’t an attacker be tempted to pull off one hack to get hold of so many credentials? This isn’t the first time OneLogin has been targeted as it also detected unauthorized access back in August 2016.