PINDROP BLOG

Employee Password Compromise Leads to Breach at OneLogin

A password compromise of an employee at OneLogin, the identity and access management company, has led to a breach at the company that affected stored customer data that was supposed to be encrypted but was actually available in plaintext.

The attack happened earlier this summer, and OneLogin officials say the attacker may have been on their system as early as July 2. The attacker targeted a system that stores Secure Notes, a feature that allows customers to store information. That data is stored in encrypted form, but a vulnerability in the system allowed the attacker to get to the data before it was encrypted.

“A bug caused these notes to be visible in our logging system prior to being encrypted and stored in our database. We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for that system,” Alvaro Hoyos, OneLogin CISO, said in a statement on the incident.

Hobos said there’s no evidence that any other employee accounts or any user accounts were compromised. He added that the incident only affected a small subset of the company’s customers.

There’s no evidence that any other employee accounts or any user accounts were compromised.

“Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016. Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk,” Hoyos said.

As a result of the attack, OneLogin has made several changes to its internal infrastructure, including fixing the initial bug, and ensuring that access to the logging system is only available from a specific set of IP addresses and only with SAML-based authentication. The company also reset all passwords on external systems that don’t support SAML authentication.

“We take this matter very seriously and have retained an independent cybersecurity firm to assist in analyzing the issue fully and make sure no stone is left unturned. We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of this incident,” Hoyos said.

Webinar: TACKLING THE 113% FRAUD INCREASE IN CALL CENTERS