A security breach at OneLogin this week has stirred familiar concerns about the problems organizations can encounter when they entrust all of their login credentials to a single password management service.
In a brief alert Wednesday, OneLogin's chief information security officer Alvaro Hoyos said the company had detected unauthorized access to its data in the US. The statement did not indicate the nature of the intrusion, or of the compromised data. Neither did it provide any information on how many customers of OneLogin's single sign-on (SSO) and cloud identity management service were impacted.
OneLogin did not respond to a Dark Reading request for comment on the incident.
In an email sent to customers this week, the company said all customers served by OneLogin's US data center had been impacted. Over 2,000 enterprises globally use OneLogin for password management. It is unclear how many of them are US-based and if the intrusion impacted all of them.
The data that was compromised included the keys for decrypting encrypted customer data, the company said in the email, which Motherboard obtained from affected customers.
The message also contained a laundry list of tasks for customers to implement in order to mitigate their exposure to the theft. The steps OneLogin provided its customers include generating new certificates for applications that use SAML and SSO, generating new API and OAuth API keys, and generating new directory tokens and desktop SSO tokens. In addition, OneLogin urged organizations to force a password reset for users if they used SSO for application access.
OneLogin's instructions to customers suggest the company is still figuring out the extent of the breach and is not taking any chances, says Ken Spinner, vice president of field engineering at Varonis Systems.
"If I were a OneLogin customer, I would assume the worst and act accordingly," he says. "In the past we’ve seen companies initially report that a breach was confined to only a handful of customers only later to realize that it was far worse."
The data breach is another reminder of the risks organizations are taking in entrusting all of their passwords to a single vendor. Security experts generally consider the use of password managers a best practice because the technology can help organization implement and enforce strong password practices. However, the downside is that password managers can also become a single point of failure.
"OneLogin and servlces like it are what I call the holy grail of hacking targets," says Paul Calatayud, CTO at security vendor FireMon. "Many security-minded companies and individuals rely on these services to reduce the complexity of password management by essentially creating a master key that holds more complex passwords in one location."
A hacker that gains access to these password vaults automatically gains access to all accounts for which they are used, Calatayud says.
Organizations and individuals using OneLogin will need to change every single password that was being stored in the system and do additional monitoring of their assets as a precaution. "Any accounts that can be elevated to using two-factor should be. This removes the value of the passwords that are stolen because the second factor allows for additional protection," Calatayud says.
The company's instructions to its customers suggest that OneLogin had some design flaws, notes John Bambenek, threat research manager at Fidelis Cybersecurity.
Incidents such as this highlight the need for organizations to properly vet the organizations to whom, they entrust critical infrastructure data. "In this case, it’s very hard to fault an enterprise for doing business with OneLogin - they have a strong reputation, healthy funding from well-known investors, and a relatively clean security track record." he says.
But generally speaking, organizations considering password management services need to vet the security track record of any vendor they consider. "It's also wise to ask them if they have outside parties test their security posture," Varonis' Spinner says. "Do they hire pen testers or participate in bug bounty programs that help them actively find and fix potential vulnerabilities before they result in a breach?"
Also important to understand are technology issues such as the hashing algorithms they use, how they store password vaults, and what kind of security controls they use on the servers that store customer data, Spinner notes.
- Password Manager LastPass Hacked
- '123456' Leads The Worst Passwords Of 2016
- Striving For Improvement on World Password Day
- More than Half of Security Pros Rarely Change their Social Network Passwords