OneLogin suffers serious security breach -- attackers access data and decryption keys

Password management service OneLogin has fallen victim to a serious attack. The company says that it "detected unauthorized access to OneLogin data in our US data region" -- this was blocked, but not before the attacker gained access to AWS keys and the ability to decrypt data.

The company warns that "all customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data." OneLogin has provided a guide for securing data, but it's possible that it may be too late for some people.

In a blog post, OneLogin explains what happened: "Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it."

The company says that it is working with law enforcement and third-party investigators to find out more. On its support pages OneLogin has provided details about the steps concerned customers need to take to secure their data -- accessing these pages requires registration, but the details have been posted by The Register as well:

1. Force a OneLogin directory password reset for your users;
2. Generate new certificates for your apps that use SAML SSO;
3. Generate new API credentials and OAuth tokens;
4. Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors;
5. Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro;
6. Generate and apply new Desktop SSO tokens;
7. Recycle any secrets stored in Secure Notes;
8. Update the credentials you use to authenticate to 3rd party apps for provisioning;
9. Update the admin-configured login credentials for apps that use form-based authentication;
10. Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps;
11. Replace your RADIUS shared secrets.

The impact of the attack is not yet known, but OneLogin has millions of users so the implications are pretty huge.