The sorry state of many people’s passwords can make things easy for hackers, which is why using a password manager is always recommended. But even these aren’t without their vulnerabilities. A problem was discovered with LastPass’ browser extension in March, and now OneLogin has suffered a major data breach.
In a blog post published Tuesday, the single sign-on service wrote that it had detected unauthorized access to OneLogin data in its US data region. The company added it had since blocked the access, and had reached out to impacted customers, though it hasn’t revealed how many were affected.
In a later update, OneLogin revealed that the hacker “obtained access to a set of AWS (Amazon Web Services) keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.”
What's most worrying is that while the company says it encrypts “certain data at rest,” it could not rule out the possibility that the hacker also obtained the ability to decrypt the data.
OneLogin’s website states that over 2000 global enterprise customers secure their applications with its software, including Conde Nast, ARM, The Carlyle Group, and Pinterest. It also integrates with apps and services such as Amazon Web Services, Office 365, LinkedIn, Slack, Twitter, and Google.
Customers have been advised to force a password reset for all users, generate new API keys and security certificates for their services, and create new OAuth tokens. Some users have complained about having to log in to the site to see the security article, and that OneLogin should make it publicly available.