Hackers breach Password manager OneLogin
The sorry state of many
people’s passwords can make things easy for hackers, which is why using a
password manager is always recommended. But even these aren’t without their
vulnerabilities. A problem was discovered with LastPass’ browser
extension in March, and now OneLogin has suffered a major data breach.
In a blog post published Tuesday, the single sign-on
service wrote that it had detected unauthorized access to OneLogin data in its
US data region. The company added it had since blocked the access, and had
reached out to impacted customers, though it hasn’t revealed how many were
affected.
In a later
update, OneLogin revealed that the hacker “obtained access to a set of AWS
(Amazon Web Services) keys and used them to access the AWS API from an
intermediate host with another, smaller service provider in the US.”
What's most
worrying is that while the company says it encrypts “certain data at rest,” it
could not rule out the possibility that the hacker also obtained the ability to
decrypt the data.
OneLogin’s
website states that over 2000 global enterprise customers secure their
applications with its software, including Conde Nast, ARM, The Carlyle Group,
and Pinterest. It also integrates with apps and services such as Amazon Web
Services, Office 365, LinkedIn, Slack, Twitter, and Google.
Customers
have been advised to force a password reset for all users, generate new API
keys and security certificates for their services, and create new OAuth tokens.
Some users have complained about having to log in to the site to see the
security article, and that OneLogin should make it publicly available.
No comments: