KitGuru KitGuru.net – Tech News | Hardware News | Hardware Reviews | IOS | Mobile | Gaming | Graphics Cards
As convenient as it can be to have a password manager to help keep track of unique passwords, that convenience is swiftly stripped away when the password database gets hacked. This week, OneLogin users will want to double check their accounts as the service has warned that it has suffered a data breach, during which customer information was stolen. To make matters worse, OneLogin currently can't rule out the possibility that the attacker also managed to get hold of a data decryption tool.
OneLogin has confirmed that it detected unauthorised access in the company's US data region. The breach has since been fixed but at this point, user data has already been exposed. Here is how OneLogin explains the method of attack:
“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”
The attacker was able to access “database tables that contain information about users, apps and various types of keys”. As you would expect, OneLogin does encrypt all of its sensitive data but at this time the company “cannot rule out the possibility” that the hacker also made off with the ability to decrypt data.
If you are a OneLogin user then you will want to keep an eye on your various accounts and possibly change passwords for any sensitive accounts.
KitGuru Says: Unfortunately for those that use OneLogin, there isn't a ton of information on exactly what was stolen right now but hopefully we can get more specific details soon as the investigation continues.
It’s always a shame to hear about these kinds of stories, but hopefully they didn’t get any data decrypted and the company finds out how it happened and learns from the mistake. It would be great if they could also share what went wrong and how they fixed it so other companies can do the same and we can make all password companies more secure.
They did explain what went wrong in the story in great detail, don’t worry behind the scenes they will be in contact with other similar password managers to share best practice, it’s in all of their interest to do so.
This sort of story makes you sick to the stomach and unfortunately reinforces the belief that absolutely nothing online is safe.
Thanks for the reply, they have given us all the information they currently have, but are still researching further. I meant that once they have finished with their research, I hope they can share more although what they have already said is good enough for most people and definitely more than what most companies are willing to share so kudos to them.
I’m just curious to find the actual cause and would love to know as I’m sure other developers and security analysts are. I didn’t mean it as an attack to them as a company, because what they have done and shared is incredible, and like you say, nothing is safe online, not matter how careful you are.
always kind of figured that idea was stupid, better to have a physical or local digital spreadsheet of all your login/passwords.
Sorry I wasn’t having a go I just meant they have gave us as much information as they wanted to while remaining vague enough to discourage further attacks.
They are not going to come out and give a step by step guide on how to repeat the attack, this is because while they have fixed the exploit other smaller companies or companies with less resources may not have fixed the vulnerability.
If it was software that was the weak point One login will be working with the software provider, the software provider will then develop a patch and disseminate a patch which may or may not be used (see the chaos from last week’s NHS nightmare).
We’d all secretly love to know who screwed up but that statement is all we will get……. Until the Hollywood movie comes out ; )