Single sign-on (SSO) specialist OneLogin has warned users that it has suffered a data breach and that the attacker or attackers may have the ability to decrypt customer data as a result.
Following a brief announcement on Wednesday, OneLogin's Alvaro Hoyos penned a slightly more detailed analysis of the attack
which went live on the site late last night. 'As we communicated yesterday, we recently detected that a malicious actor had obtained access to our US operating region,
' Hoyos explains. 'The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.
With the database content as well as the ability to decrypt said database contents - an ability OneLogin having not yet explained precisely how the attacker or attackers could have - the company's customers are at considerable risk. OneLogin positions itself as a security-enhancing tool, allowing its customers to sign on to multiple websites with a single shared identity. The attackers, then, may well have the ability to log into multiple third-party websites using stolen OneLogin identities - including corporate accounts and e-commerce accounts.
The company has come under fire following its announcement, both for having a system vulnerable to attack and in which the use of encryption appears to have been unable to protect the data at rest and for having required users to pass through a OneLogin barrier in order to read the company's advice and warnings relating to the attack. All affected OneLogin customers should have already been contacted by the company, but even if an email has not been received it is recommended to immediately log in to your OneLogin account and change your security credentials.
OneLogin describes its investigation into the attack as 'ongoing
' and including the involvement of independent third-party security experts and law enforcement.