Identity management outfit OneLogin sugar coats impact of attack

Blog reveals breach. Email warns of data compromise. Support page says crypto at risk

Identity management outfit OneLogin has revealed it's suffered a security incident that's seen “unauthorized access to OneLogin data in our US data region”, but has offered rather scarier information in different documents.

The company blog describes only "unauthorized access". In emails sent to customers seen by The Reg the company adds news that “customer data was potentially compromised.” And on a registration-required support page the threat is described as follows:

“All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.”

Decrypt data? Woah! That's a bit more than mere unauthorized access.

OneLogin's blog does say that customers have been told what to do in the wake of the attack and the email we've seen does “strongly advise” customers to visit support page to which we have linked.

That page offers a long list of things customers need to do, ASAP, namely:

  1. Force a OneLogin directory password reset for your users;
  2. Generate new certificates for your apps that use SAML SSO;
  3. Generate new API credentials and OAuth tokens;
  4. Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors;
  5. Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro;
  6. Generate and apply new Desktop SSO tokens;
  7. Recycle any secrets stored in Secure Notes;
  8. Update the credentials you use to authenticate to 3rd party apps for provisioning;
  9. Update the admin-configured login credentials for apps that use form-based authentication;
  10. Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps;
  11. Replace your RADIUS shared secrets.

That long list might perhaps be why OneLogin's been a bit brief in public: it's a lot of stuff to get done and could set tongues-a-wagging if the extent of the risk became widely known.

Which was bound to happen anyway.

The company says it is “working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident.” In the email to customers it adds that it can't reveal all, due to the involvement of law enforcement agencies. The blog says the company is “actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”

OneLogin offers a single sign-on and other authentication management services it says gives “employees, customers and partners with secure access to your cloud and company apps on any device.”

It's not the only such outfit: The Register in no way suggests that the likes of Okta, VMware and Citrix have been attacked, but notes all offer single-sign-on across lots of cloudy apps and are therefore obviously a tasty target for criminals who want to get their hands on lots of credentials with one hit. ®


Biting the hand that feeds IT © 1998–2017