Attacks/Breaches
6/1/2017
06:22 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

OneLogin Breach Reignites Concerns over Password Managers

Entrusting all your passwords to a single organization creates a single point of failure, experts say in the wake of a new data breach at OneLogin.

A security breach at OneLogin this week has stirred familiar concerns about the problems organizations can encounter when they entrust all of their login credentials to a single password management service.

In a brief alert Wednesday, OneLogin's chief information security officer Alvaro Hoyos said the company had detected unauthorized access to its data in the US. The statement did not indicate the nature of the intrusion, or of the compromised data. Neither did it provide any information on how many customers of OneLogin's single sign-on (SSO) and cloud identity management service were impacted.

OneLogin did not respond to a Dark Reading request for comment on the incident.

In an email sent to customers this week, the company said all customers served by OneLogin's US data center had been impacted. Over 2,000 enterprises globally use OneLogin for password management. It is unclear how many of them are US-based and if the intrusion impacted all of them.

The data that was compromised included the keys for decrypting encrypted customer data, the company said in the email, which Motherboard obtained from affected customers.

The message also contained a laundry list of tasks for customers to implement in order to mitigate their exposure to the theft. The steps OneLogin provided its customers include generating new certificates for applications that use SAML and SSO, generating new API and OAuth API keys, and generating new directory tokens and desktop SSO tokens. In addition, OneLogin urged organizations to force a password reset for users if they used SSO for application access.

OneLogin's instructions to customers suggest the company is still figuring out the extent of the breach and is not taking any chances, says Ken Spinner, vice president of field engineering at Varonis Systems.

"If I were a OneLogin customer, I would assume the worst and act accordingly," he says. "In the past we’ve seen companies initially report that a breach was confined to only a handful of customers only later to realize that it was far worse."

The data breach is another reminder of the risks organizations are taking in entrusting all of their passwords to a single vendor. Security experts generally consider the use of password managers a best practice because the technology can help organization implement and enforce strong password practices. However, the downside is that password managers can also become a single point of failure.

"OneLogin and servlces like it are what I call the holy grail of hacking targets," says Paul Calatayud, CTO at security vendor FireMon. "Many security-minded companies and individuals rely on these services to reduce the complexity of password management by essentially creating a master key that holds more complex passwords in one location."

A hacker that gains access to these password vaults automatically gains access to all accounts for which they are used, Calatayud says.

Organizations and individuals using OneLogin will need to change every single password that was being stored in the system and do additional monitoring of their assets as a precaution. "Any accounts that can be elevated to using two-factor should be. This removes the value of the passwords that are stolen because the second factor allows for additional protection," Calatayud says.

The company's instructions to its customers suggest that OneLogin had some design flaws, notes John Bambenek, threat research manager at Fidelis Cybersecurity.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the conference schedule and to register.

 

Incidents such as this highlight the need for organizations to properly vet the organizations to whom, they entrust critical infrastructure data.  "In this case, it’s very hard to fault an enterprise for doing business with OneLogin - they have a strong reputation, healthy funding from well-known investors, and a relatively clean security track record." he says.

But generally speaking, organizations considering password management services need to vet the security track record of any vendor they consider. "It's also wise to ask them if they have outside parties test their security posture," Varonis' Spinner says. "Do they hire pen testers or participate in bug bounty programs that help them actively find and fix potential vulnerabilities before they result in a breach?"

Also important to understand are technology issues such as the hashing algorithms they use, how they store password vaults, and what kind of security controls they use on the servers that store customer data, Spinner notes.

Related Content:

 

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ebyjeeby
100%
0%
ebyjeeby,
User Rank: Strategist
6/2/2017 | 12:39:17 PM
Just figured this out?
I'm amazed that 'experts' just figured out that having all your passwords at a vendor site is a problem.
5 Reasons the Cybersecurity Labor Shortfall Won't End Soon
Steve Morgan, Founder & CEO, Cybersecurity Ventures,  12/11/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: That's it, next year we start outsourcing toy production.
Current Issue
The Year in Security: 2017
A look at the biggest news stories (so far) of 2017 that shaped the cybersecurity landscape -- from Russian hacking, ransomware's coming-out party, and voting machine vulnerabilities to the massive data breach of credit-monitoring firm Equifax.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.