There was a data security breach at OneLogin, an online login manager service based in San Francisco that allows users to login to sites and apps from a single platform. The breach has compromised consumer data, exposing the ability to decrypt encrypted data.
The perpetrators got their hands on the user information, the apps they’re using, as well as various types of keys.
This type of breach could be extremely damaging for affected customers. Currently, more than 2,000 companies in 44 countries are on that list, as well as 300 app vendors, and more than 70 SaaS providers.
Alvaro Hoyos, the company’s chief data security officer, wrote a blog post on Wednesday, stating they put a stop to any unauthorised access and reported it to the authorities. Apart from that, he mentioned they are also working with an independent security firm to get to the bottom of this, and will keep their customers updated.
A message that was sent to the customers included a critical piece of information: it turns out its possible for the perpetrators to decrypt the encrypted data. It also contained further steps instructing them what to do next, which includes generating new API keys and OAuth tokens, creating new credentials, security certificates, and creating new secrets and passwords.
Avivah Litan, a financial fraud analyst at Gartner, believes this is a perfect example of why it’s a bad idea to use cloud computing services for this purpose. Calling it a massive single point of failure, she believes this is the digital equivalent of an organisation putting all its eggs in one basket.