Millions of OneLogin customers will need to take urgent action to protect their organisational and third-party accounts, after the single sign-on provider revealed it had been hacked and its user credentials compromised.
OneLogin advised (log in required) that "all customers served by our US data centre are affected; customer data was compromised, including the ability to decrypt data".
The company's chief information security officer Alvaro Hoyos confirmed the breach, and said OneLogin was working with law enforcement and an unnamed independent security firm to ascertain the extent of the incident.
Customers are now required to take action and perform a large number of steps to secure their OneLogin and third-party service accounts.
This includes forcing OneLogin directory password resets if the SSO Password feature is in use. Apps that use the Security Assertion Markup Language (SAML) SSO feature need new certificates, and new application programming interface credentials and OAuth tokens must be generated.
New tokens for Active Directory and LDAP Directory connectors must also be generated and applied, along with desktop SSO tokens.
Any API or OAuth credentials used to authenticate to third-party directories such as Google's G Suite, WordDay, Namely and UtilPro must be updated.
Last year, a bug caused OneLogin's Secure Notes information storage feature to be visible in its logging system for at least a month.
At the same time, a OneLogin staffer's password was taken, and the logging system was accessed by an unknown unauthorised user.
Update: Hoyos revealed that as the attacker had obtained access to a set of the company’s Amazon Web Services digital keys, they may have been able to decrypt sensitive data.
The attacker was able to access database tables that contain information about users, apps, and various types of digital keys, Hoyos said.
Hoyos said OneLogin was erring on the side of caution and advising customers of the possibility of further information leakage.
