The chief security officer of OneLogin, Alvaro Hoyos, has confirmed and informed users that a “malicious actor” had gained unauthorized access to OneLogin’s data in the US region. The access has since been blocked after the breach and law enforcement was contacted.
Hoyos also informed users via email that sensitive customer data was stolen and compromised by the hacker. It reportedly took the company approximately seven hours between the beginning of the attack to the affected instances being shut down to stop it. During this time, the hacker had access to information about “users, apps and various types of keys.”
OneLogin stated that while such sensitive data is encrypted, it is unfortunately possible that the hacker might have gained the means to decrypt it, putting the sensitive information at risk.
Customers have been advised to change their passwords and API keys and to create new OAuth tokens and new security certificates. Even sensitive network passwords that were stored in OneLogin’s Secure Notes feature are at risk of being decrypted by the hacker.
Users are now criticizing the lacking security measures taken by OneLogin, particularly the possibility of leaked decryption methods. This is the second time the company was reportedly hacked in the last years, but the first time user data has been compromised.
The amount of affected users is unclear, with many companies and third-party apps utilizing the service, which allows users to use the same one password for multiple services, websites and applications. Companies like ARM, Dun & Bradstreet, The Carlyle Group and Conde Nast reportedly use OneLogin and it integrates services like Amazon Web Services, Microsoft's Office 365, LinkedIn, Slack, Twitter, and Google services.
The investigation of the attack is ongoing and the full consequences not yet clear, but all customers are advised to change any sensitive information that they had used with OneLogin as soon as possible.