OneLogin has spent the past week investigating a data security breach that may have affected thousands of customers. Additional details of the breach are now available.
If you’re familiar with how typical password managers work, OneLogin acts in a similar way, but also manages the login information of enterprise and corporate users. In essence, it’s a central login point from which several corporate users access their accounts, including hospitals, financial giants, law firms, and newsrooms.
It turns out that the attacker used highly-sensitive keys to gain unauthorised access, the ones which he obtained from an intermediate host. Even though the company uses encryption to protect its data, according to them, the attacker may have obtained the ability to decrypt it.
Alvaro Hoyos, chief data security officer at OneLogin, did not name the service provider. He, however, did reveal that the company does not use a master key to access customer data. Apparently, the hacker used a single secret key in order to carry out the hack.
Specifically, the hacker made his way through with the help of an authorised Amazon Web Services key, stealing both the encrypted and the unencrypted data in the process, which includes the passwords. Even though the company has intrusion-detection mechanisms in place, the use of an authorised key remained unnoticed.
The passwords and secure notes were encrypted; however, names and email addresses were not, and the hacker got away with it all.
Last August, OneLogin warned customers that their Secure Notes service had been breached by an unauthorised user. Once again, trust in the company has been shaken.