Password manager OneLogin has suffered a data breach, which has affected all users of its US data centre, it has been reported.
Admitting the breach in a blog posted on its website, the company’s chief information security officer Alvaro Hoyos called it a “security incident”.
He said: “Our review has shown that a threat actor obtained access to a set of Amazon Web Service (AWS) keys and used them to access the AWS application program interface (API) from an intermediate host with another, smaller service provider in the US.” OneLogin found the attack had happened on May 31st. Mr Hoyos explained that the hacker was able to create several instances in its infrastructure “to do reconnaissance”. He said that when it was alerted to unusual database activity, OneLogin shut down the affected instance as well as the AWS keys that were used to create it within minutes.
The company has encouraged affected users to visit a registration-only support page, which outlines the steps they should take now.
According to Mr Hoyos, the hacker was able “to access database tables that contain information about users, apps, and various types of keys”. It added that although the company does encrypt certain sensitive data at rest, it is unable to “rule out the possibility that the threat actor also obtained the ability to decrypt data”, which could cause real problems for those affected. OneLogin allows users to sign in and access multiple apps and websites – including AWS, Microsoft Office 365, Slack, Cisco Webex, Google Analytics and LinkedIn – with a single password.
BBC News reported that in 2013, the company had more than 700 business customers.
Mr Hoyos said the company’s investigation is ongoing, adding that it is being aided by independent third-party security experts, as well as law enforcement.
Share This Post, Choose Your Platform!
With over 25 years in the business telecoms industry and an unrivalled reputation of delivering excellent, personal customer service, Arrow is one of very few companies in the UK able to provide a full telecoms, IT and energy consultancy and service proposition.
Savings through automation, scale, improved service. We’ve got that covered. But the true value comes with empathy, through empowerment, collaboration. It’s connecting people that drives us forward. It’s people that make tomorrow happen.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.