Attacks/Breaches

6/1/2017
06:22 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

OneLogin Breach Reignites Concerns over Password Managers

Entrusting all your passwords to a single organization creates a single point of failure, experts say in the wake of a new data breach at OneLogin.

A security breach at OneLogin this week has stirred familiar concerns about the problems organizations can encounter when they entrust all of their login credentials to a single password management service.

In a brief alert Wednesday, OneLogin's chief information security officer Alvaro Hoyos said the company had detected unauthorized access to its data in the US. The statement did not indicate the nature of the intrusion, or of the compromised data. Neither did it provide any information on how many customers of OneLogin's single sign-on (SSO) and cloud identity management service were impacted.

OneLogin did not respond to a Dark Reading request for comment on the incident.

In an email sent to customers this week, the company said all customers served by OneLogin's US data center had been impacted. Over 2,000 enterprises globally use OneLogin for password management. It is unclear how many of them are US-based and if the intrusion impacted all of them.

The data that was compromised included the keys for decrypting encrypted customer data, the company said in the email, which Motherboard obtained from affected customers.

The message also contained a laundry list of tasks for customers to implement in order to mitigate their exposure to the theft. The steps OneLogin provided its customers include generating new certificates for applications that use SAML and SSO, generating new API and OAuth API keys, and generating new directory tokens and desktop SSO tokens. In addition, OneLogin urged organizations to force a password reset for users if they used SSO for application access.

OneLogin's instructions to customers suggest the company is still figuring out the extent of the breach and is not taking any chances, says Ken Spinner, vice president of field engineering at Varonis Systems.

"If I were a OneLogin customer, I would assume the worst and act accordingly," he says. "In the past we’ve seen companies initially report that a breach was confined to only a handful of customers only later to realize that it was far worse."

The data breach is another reminder of the risks organizations are taking in entrusting all of their passwords to a single vendor. Security experts generally consider the use of password managers a best practice because the technology can help organization implement and enforce strong password practices. However, the downside is that password managers can also become a single point of failure.

"OneLogin and servlces like it are what I call the holy grail of hacking targets," says Paul Calatayud, CTO at security vendor FireMon. "Many security-minded companies and individuals rely on these services to reduce the complexity of password management by essentially creating a master key that holds more complex passwords in one location."

A hacker that gains access to these password vaults automatically gains access to all accounts for which they are used, Calatayud says.

Organizations and individuals using OneLogin will need to change every single password that was being stored in the system and do additional monitoring of their assets as a precaution. "Any accounts that can be elevated to using two-factor should be. This removes the value of the passwords that are stolen because the second factor allows for additional protection," Calatayud says.

The company's instructions to its customers suggest that OneLogin had some design flaws, notes John Bambenek, threat research manager at Fidelis Cybersecurity.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Incidents such as this highlight the need for organizations to properly vet the organizations to whom, they entrust critical infrastructure data.  "In this case, it’s very hard to fault an enterprise for doing business with OneLogin - they have a strong reputation, healthy funding from well-known investors, and a relatively clean security track record." he says.

But generally speaking, organizations considering password management services need to vet the security track record of any vendor they consider. "It's also wise to ask them if they have outside parties test their security posture," Varonis' Spinner says. "Do they hire pen testers or participate in bug bounty programs that help them actively find and fix potential vulnerabilities before they result in a breach?"

Also important to understand are technology issues such as the hashing algorithms they use, how they store password vaults, and what kind of security controls they use on the servers that store customer data, Spinner notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ebyjeeby
100%
0%
ebyjeeby,
User Rank: Strategist
6/2/2017 | 12:39:17 PM
Just figured this out?
I'm amazed that 'experts' just figured out that having all your passwords at a vendor site is a problem.
Election Websites, Back-End Systems Most at Risk of Cyberattack in Midterms
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/14/2018
Intel Reveals New Spectre-Like Vulnerability
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/15/2018
Data Privacy Careers Are Helping to Close the IT Gender Gap
Dana Simberkoff, Chief Compliance and Risk Management Officer, AvePoint, Inc,  8/20/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15601
PUBLISHED: 2018-08-21
apps/filemanager/handlers/upload/drop.php in Elefant CMS 2.0.3 performs a urldecode step too late in the "Cannot upload executable files" protection mechanism.
CVE-2018-15603
PUBLISHED: 2018-08-21
An issue was discovered in Victor CMS through 2018-05-10. There is XSS via the Author field of the "Leave a Comment" screen.
CVE-2018-15598
PUBLISHED: 2018-08-21
Containous Traefik 1.6.x before 1.6.6, when --api is used, exposes the configuration and secret if authentication is missing and the API's port is publicly reachable.
CVE-2018-15599
PUBLISHED: 2018-08-21
The recv_msg_userauth_request function in svr-auth.c in Dropbear through 2018.76 is prone to a user enumeration vulnerability because username validity affects how fields in SSH_MSG_USERAUTH messages are handled, a similar issue to CVE-2018-15473 in an unrelated codebase.
CVE-2018-0501
PUBLISHED: 2018-08-21
The mirror:// method implementation in Advanced Package Tool (APT) 1.6.x before 1.6.4 and 1.7.x before 1.7.0~alpha3 mishandles gpg signature verification for the InRelease file of a fallback mirror, aka mirrorfail.