The implicit promise of password management and single sign-on services like OneLogin is that they keep your credentials safe and private so you won’t have to worry about remembering them or writing them down somewhere insecure. As such, it isn’t uncommon for these services themselves to be become the target of malicious attacks in order to pilfer their customers’ data. It is somewhat rare, however, for such services fall victim to a very serious breach of security, like just what happened to OneLogin at the end of last month.
Unlike a dedicated password manager like LastPass or 1Password, the idea of a single sign-on service like OneLogin is that you won’t have to create and maintain separate user accounts and passwords for a myriad of sites and services. You only need to enter your OneLogin credentials in sites that support it and OneLogin takes care of the authentication. As a platform used by many businesses and companies, OneLogin pretty much has a large target painted on its back. And someone apparently hit the bullseye.
31st May, OneLogin detected an unauthorized access to their databases in the US. While they were able to shutdown the parts of the service that may have been affected, it was, by then, too late. Within minutes, the attacker was able to access database information including users, apps, and keys. But that isn’t actually the worse part.
Many services encrypt data, sometimes to the frustration of authorities, to ensure that even if data is stolen or leaked, it would still be protected. Such encryption, however, is pointless if the attacker gains the ability to decrypt that data. Unfortunately for OneLogin and its customers, that might exactly be what happened here.
OneLogin says that it has already informed customers of the actions needed to protect their data and accounts, but suffice it to say, it will be a lot of work for both the company and users. Investigation is still on-going but it’s not hard to imagine OneLogin taking a massive hit after this incident.