OneLogin purports to make it simple to manage your passwords and sign in to online services. It offers password storage and single sign-on systems to help you stay secure online. However, in a statement today, the company confirmed that its own security has been breached, putting the integrity of all the data it harbours at risk.
In its public statement, OneLogin said it had detected “unauthorized access” to its U.S. datacentre region. It did not provide details on the nature of the activity or elaborate on the risk to customer data.
OneLogin is aware of the extent of what happened though. In a separate post, the company admitted that “customer data was compromised, including the ability to decrypt encrypted data.” This strongly implies that the attackers have everything required to extract user passwords from the service and access the accounts they secure. The company also confirmed that “all” customers using its U.S. datacentre are affected.
OneLogin has been criticised for only releasing this second statement to registered users of its service. The letter has been widely distributed online by customers. There have been suggestions that OneLogin is trying to protect its outward reputation by trying to contain the spread of information.
There is currently no word on how long the attack persisted for or whether there’s evidence that the data is being actively decrypted. OneLogin hasn’t disclosed any details of how the hackers obtained access or how much data was stolen. Additionally, it hasn’t commented on how attackers were able to breach all of its systems, grabbing the user data as well as the secret keys needed to decrypt it.
In its official statement, the company said it is co-operating with law enforcement and an external security firm to investigate the incident. It added that it is working to understand the scale of the attack so it can begin to ascertain exactly what happened.
“We have blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident,” said OneLogin. “We want our customers to know that the trust they have placed in us is paramount.”
In its email to customers, OneLogin provided detailed information on how to secure any accounts affected by the breach. Because its software is aimed at enterprise users with single sign-on systems, the process is relatively complex and requires generating new secret keys for multiple services. Anyone with a OneLogin account which is hosted in the firm’s U.S. datacentre should follow the company’s instructions to safeguard their data.
