Identity manager OneLogin hacked, user data accessed

By

Customers required to reset credentials.

Millions of OneLogin customers will need to take urgent action to protect their organisational and third-party accounts, after the single sign-on provider revealed it had been hacked and its user credentials compromised.

Identity manager OneLogin hacked, user data accessed

OneLogin advised (log in required) that "all customers served by our US data centre are affected; customer data was compromised, including the ability to decrypt data".

The company's chief information security officer Alvaro Hoyos confirmed the breach, and said OneLogin was working with law enforcement and an unnamed independent security firm to ascertain the extent of the incident.

Customers are now required to take action and perform a large number of steps to secure their OneLogin and third-party service accounts.

This includes forcing OneLogin directory password resets if the SSO Password feature is in use. Apps that use the Security Assertion Markup Language (SAML) SSO feature need new certificates, and new application programming interface credentials and OAuth tokens must be generated.

New tokens for Active Directory and LDAP Directory connectors must also be generated and applied, along with desktop SSO tokens.

Any API or OAuth credentials used to authenticate to third-party directories such as Google's G Suite, WordDay, Namely and UtilPro must be updated.

Last year, a bug caused OneLogin's Secure Notes information storage feature to be visible in its logging system for at least a month.

At the same time, a OneLogin staffer's password was taken, and the logging system was accessed by an unknown unauthorised user.

Update: Hoyos revealed that as the attacker had obtained access to a set of the company’s Amazon Web Services digital keys, they may have been able to decrypt sensitive data.

The attacker was able to access database tables that contain information about users, apps, and various types of digital keys, Hoyos said.

Hoyos said OneLogin was erring on the side of caution and advising customers of the possibility of further information leakage. 

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:
hackingsecuritysso

Sponsored Whitepapers

Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Datacom + Microsoft Azure: Turn Ideas Into Impact in Just 4 Weeks
Protect APIs. Protect Your Business.
Protect APIs. Protect Your Business.
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
KnowBe4 Benchmark Report: Reducing Human Risk & Phishing Vulnerability in ANZ
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Modern Identity for SAP and Beyond: Replace SAP IDM with Saviynt
Saviynt Simplifies GRC and Access Control for SAP and Beyond
Saviynt Simplifies GRC and Access Control for SAP and Beyond

Events

Most Read Articles

Ex-student charged over Western Sydney University cyberattacks

Ex-student charged over Western Sydney University cyberattacks
SA Water plans 'once-in-a-generation' core technology uplift

SA Water plans 'once-in-a-generation' core technology uplift
WhatsApp banned on US House of Representatives devices

WhatsApp banned on US House of Representatives devices
Victoria's first government tech chief steps down

Victoria's first government tech chief steps down
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?