OneLogin Password Manager Hacked, Sensitive Customer Data Exposed

1

In an official blog post, single sign-on provider and password manager OneLogin has disclosed that hackers have gained access to its database and have stolen sensitive customer data. According to The Star, although OneLogin didn’t specify the data accessed in the breach, the company did inform its customers that the hackers have found a way to access encrypted data, including passwords.

“OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised”, the email read.

Later in the day, the company said in an update: “Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.”

The company said that the attack appears to have started at 2am (PT), but staff were alerted of unusual database activity some seven hours later, who “within minutes, shut down the affected instance as well as the AWS keys that were used to create it”. It further said that even though OneLogin encrypts “certain sensitive data at rest,” it could not rule out the possibility that the hacker “also obtained the ability to decrypt data”.

OneLogin, which also provides single sign-on services, integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft’s Office 365, LinkedIn, Slack, Twitter, and Google services.

Back in 2015, password manager LastPass also got compromised, although the hackers could not gain access to actual passwords.

“Technology runs through my veins...” | Follow me: @DrUsmanQ usman@iPhoneinCanada.ca

  • Riddlemethis

    So much for cloud encryption.

    It’s only a matter of time before 1password will be compromised.

  • What does 1Password store in the cloud?

  • xeronine992
  • Rory Breaker

    What if you don’t store anything in the cloud?

  • Hi Riddlemethis,

    Thank you for bringing this up.

    For many years 1Password used local storage for its data and we refused to implement server-based solution because of the security concerns. When we decided that many features required by teams are not possible without a server, we made sure that it is designed to be more secure than a local storage.

    Unlike OneLogin, 1Password encrypts all data on the client. In addition to the master password it also relies on a random 128-bit secret key to generate the master encryption key. The combination of your master password and the secret key guarantees the strength of the encryption. Neither master password nor secret key are stored or ever sent to 1Password servers.

    It means that even in 1Password servers are breached, none of the data is going to have any value for the attackers.

    I hope that explains the difference in our approach.

    Roustem
    Founder of AgileBits and 1Password.

  • Thanks for sharing Roustem

  • Sam

    I went ahead and block you because the link you’ve provided disproves your own statement. The fact that you did not even read your own quotes (source) tells me there is little value in reading your comments.

    “Only you have your Account Key and like your Master Password it never leaves your devices. Along with your Master Password this ensures that no one but you will be able to access your 1Password data.

    See our security page for details and all the things we did beyond just enabling TLS/SSL (we did that, too, by the way ?).”

  • xeronine992

    Okay so everything except your master password are in the cloud? Close enough IMO.

  • xeronine992

    As long as that’s an option (I’m not sure as I still have the “legacy” version), then I imagine you’re fine. If it’s only storing it locally, then you shouldn’t have to worry about any cloud data breaches.