Attacks/Breaches

6/1/2017
06:22 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

OneLogin Breach Reignites Concerns over Password Managers

Entrusting all your passwords to a single organization creates a single point of failure, experts say in the wake of a new data breach at OneLogin.

A security breach at OneLogin this week has stirred familiar concerns about the problems organizations can encounter when they entrust all of their login credentials to a single password management service.

In a brief alert Wednesday, OneLogin's chief information security officer Alvaro Hoyos said the company had detected unauthorized access to its data in the US. The statement did not indicate the nature of the intrusion, or of the compromised data. Neither did it provide any information on how many customers of OneLogin's single sign-on (SSO) and cloud identity management service were impacted.

OneLogin did not respond to a Dark Reading request for comment on the incident.

In an email sent to customers this week, the company said all customers served by OneLogin's US data center had been impacted. Over 2,000 enterprises globally use OneLogin for password management. It is unclear how many of them are US-based and if the intrusion impacted all of them.

The data that was compromised included the keys for decrypting encrypted customer data, the company said in the email, which Motherboard obtained from affected customers.

The message also contained a laundry list of tasks for customers to implement in order to mitigate their exposure to the theft. The steps OneLogin provided its customers include generating new certificates for applications that use SAML and SSO, generating new API and OAuth API keys, and generating new directory tokens and desktop SSO tokens. In addition, OneLogin urged organizations to force a password reset for users if they used SSO for application access.

OneLogin's instructions to customers suggest the company is still figuring out the extent of the breach and is not taking any chances, says Ken Spinner, vice president of field engineering at Varonis Systems.

"If I were a OneLogin customer, I would assume the worst and act accordingly," he says. "In the past we’ve seen companies initially report that a breach was confined to only a handful of customers only later to realize that it was far worse."

The data breach is another reminder of the risks organizations are taking in entrusting all of their passwords to a single vendor. Security experts generally consider the use of password managers a best practice because the technology can help organization implement and enforce strong password practices. However, the downside is that password managers can also become a single point of failure.

"OneLogin and servlces like it are what I call the holy grail of hacking targets," says Paul Calatayud, CTO at security vendor FireMon. "Many security-minded companies and individuals rely on these services to reduce the complexity of password management by essentially creating a master key that holds more complex passwords in one location."

A hacker that gains access to these password vaults automatically gains access to all accounts for which they are used, Calatayud says.

Organizations and individuals using OneLogin will need to change every single password that was being stored in the system and do additional monitoring of their assets as a precaution. "Any accounts that can be elevated to using two-factor should be. This removes the value of the passwords that are stolen because the second factor allows for additional protection," Calatayud says.

The company's instructions to its customers suggest that OneLogin had some design flaws, notes John Bambenek, threat research manager at Fidelis Cybersecurity.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Incidents such as this highlight the need for organizations to properly vet the organizations to whom, they entrust critical infrastructure data.  "In this case, it’s very hard to fault an enterprise for doing business with OneLogin - they have a strong reputation, healthy funding from well-known investors, and a relatively clean security track record." he says.

But generally speaking, organizations considering password management services need to vet the security track record of any vendor they consider. "It's also wise to ask them if they have outside parties test their security posture," Varonis' Spinner says. "Do they hire pen testers or participate in bug bounty programs that help them actively find and fix potential vulnerabilities before they result in a breach?"

Also important to understand are technology issues such as the hashing algorithms they use, how they store password vaults, and what kind of security controls they use on the servers that store customer data, Spinner notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ebyjeeby
100%
0%
ebyjeeby,
User Rank: Strategist
6/2/2017 | 12:39:17 PM
Just figured this out?
I'm amazed that 'experts' just figured out that having all your passwords at a vendor site is a problem.
'Hidden Tunnels' Help Hackers Launch Financial Services Attacks
Kelly Sheridan, Staff Editor, Dark Reading,  6/20/2018
Inside a SamSam Ransomware Attack
Ajit Sancheti, CEO and Co-Founder, Preempt,  6/20/2018
Tesla Employee Steals, Sabotages Company Data
Jai Vijayan, Freelance writer,  6/19/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-12705
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have XSS via the SSID (it is validated only on the client side).
CVE-2018-12706
PUBLISHED: 2018-06-24
DIGISOL DG-BR4000NG devices have a Buffer Overflow via a long Authorization HTTP header.
CVE-2018-12714
PUBLISHED: 2018-06-24
An issue was discovered in the Linux kernel through 4.17.2. The filter parsing in kernel/trace/trace_events_filter.c could be called with no filter, which is an N=0 case when it expected at least one line to have been read, thus making the N-1 index invalid. This allows attackers to cause a denial o...
CVE-2018-12713
PUBLISHED: 2018-06-24
GIMP through 2.10.2 makes g_get_tmp_dir calls to establish temporary filenames, which may result in a filename that already exists, as demonstrated by the gimp_write_and_read_file function in app/tests/test-xcf.c. This might be leveraged by attackers to overwrite files or read file content that was ...
CVE-2018-12697
PUBLISHED: 2018-06-23
A NULL pointer dereference (aka SEGV on unknown address 0x000000000000) was discovered in work_stuff_copy_to_from in cplus-dem.c in GNU libiberty, as distributed in GNU Binutils 2.30. This can occur during execution of objdump.