Enterprise password manager OneLogin suffered a massive data breach Wednesday, and the attackers may have gained access to sensitive customer data, such as login information for a variety of companies. OneLogin manages login credentials for a variety of cloud applications for more than 2,000 enterprise clients.
The company, which said that its investigation is ongoing, wrote on its blog Wednesday that the attacker was able to access database tables that contain information about users, apps, and various types of keys. "While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data," the company wrote in a letter to clients.
Password Resets for 1000s of Businesses
The attack began around 2 a.m. Pacific time on Wednesday, May 31, when the malicious actor somehow obtained access to a set of Amazon Web Services (AWS) keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S., according to the company.
Through the API, the attacker was then able to create several instances of the company’s IT infrastructure to probe the company’s system. The company said it was alerted to the unusual database activity seven hours later, at which point it shut down access to the affected instance and the AWS keys associated with it. The breach is thought to be enormous, as all of company’s data centers in the U.S. were hacked.
The data breach is the latest such incident to affect a cloud service provider, which has raised questions among enterprise clients about the security of deploying their data to the cloud instead of on-premises. What appears to be particularly damaging about the attack is that OneLogin had marketed itself as a tool for enterprises to make using cloud services more secure by consolidating the management of a number of login credentials.
Second Attack in Less than a Year
The possibility that the hacker may have obtained enough data to decrypt the encrypted credentials, meanwhile, could mean that thousands of businesses, including Yelp and Pinterest, may need to change their login information for every cloud service they use.
The details are still hazy, and OneLogin has yet to make an announcement about exactly what data has been stolen. But in the meantime, the company has apparently contacted all of its clients to advise that they immediately reset any passwords stored on OneLogin’s servers.
This is not the first time that OneLogin has suffered a breach in recent months. The company also suffered a breach from July to August when an attacker using a OneLogin employee’s password was able hack its servers and access company analytics and logs.
Posted: 2017-06-02 @ 2:03pm PT
Odds are there was no or poor Privileged Account Security
Privileged Account Security – The Giant Dirty Secret in most organizations cybersecurity. Why isn't it being addressed? Lack of Courage.
The overwhelming majority of companies and government organizations are avoiding the most critical cyber-security practice of all. Dealing with privileged account security. It’s the biggest dirty secret in cybersecurity. Which is extremely unfortunate because virtually every hack on record was accomplished by someone gaining access to a privileged account then moving through the system. This usually occurs due to a successful phishing expedition. (Of which 22% are successful. Keep in mind only one is needed).
Of the small fraction of companies that even deal with this area only 1% of them actually use the products they purchase properly. Said differently – even if a CISO is buying the right things they are not using most of what you paid for. And in most cases they either have no plan to actually use critical features like Password Management, Session Management and Access Monitoring, or are moving so slow it will decades to finish. Often this is meant to purposefully deceive C-Suite and above. This puts everyone at risk.
Here is how bad things are. CMU CERT is the premier authority on cyber-security best practices. Especially for DoD. I found out that CMU CERT has no solution for themselves in this area. They actually defer to CMU IT for their own security and they have no solution in this area. Shouldn't the organization responsible for telling others what best practice is use best practices for its own security?
Why is this happening? These products inadvertently expose several huge best practice gaps. Examples include having 4X more accounts than people, non-encrypted password files or spreadsheets, emails with passwords and software programs with passwords hard coded in them and many not knowing where they all are. And having local admin permissions available on laptops and end points and not knowing where they all are either.
Why don't these folks address this? Because it means pushing the culture to change bad habits and admit to their executives and boards they even existed in the first place. Governing bodies and regulators mean well but they don’t help much. This is because the relevant regulations, SOC, HiTrust etc are too trusting and don’t specify enough detail. This gives organizations far too much room to wiggle. This all results in most companies and organizations not utilizing best practices or readily available of off the shelf products that can significantly reduce the threat.
This is not a technical issue. It's one of Courage. Courage to admit the root causes exist, to deal with the culture and lead them to fix them. To not sacrifice customers to protect egos or let the bean counters justify it's cheaper to harm customers than the bottom line.