Password Manager OneLogin Suffers Breach, Customer Data Exposed

Updated on

Nowadays, almost everyone is vulnerable to a cyber-attack. One would expect a security firm to be immune to such threats, but not anymore. According to OneLogin, a password management service, it suffered a data breach that allowed hackers access to encrypted information.

OneLogin suffers data breach

OneLogin claims that the data breach affects “all customers served by our US data centre” and that “customer data was compromised including the ability to decrypt encrypted data.” Those affected by this breach must visit a registration-only support page which details the steps that should be taken. Some of these steps are: forcing password resets for all users, recycling secrets stored in OneLogin’s secure notes, and generating new security credentials and certificates for apps and sites.

OneLogin says it is working with an independent security firm to investigate the cause of the unauthorized access and measure its impact. In an email to customers, the company said it can’t disclose all the details because of the involvement of law enforcement agencies. In a blog post, it said that it is working hard to prevent such incidents in the future and will update customers as “these improvements are implemented.”

Not the first time

Avivah Litan, a financial fraud analyst for Gartner, said that she had been warning companies about using cloud-based single sign-on services, adding that they are similar to putting all of one’s eggs in one basket, according to KrebsonSecurity.

“It’s just such a massive single point of failure,” Litan said. “And this breach shows that other [cloud-based single sign-on] services are vulnerable, too.”

Headquartered in San Francisco, the company claims that its customers include some 2,000 companies in 44 countries, over 70 software-as-a-service providers and more than 300 app vendors. OneLogin offers a single sign-on and other authentication management services, which it claims allow users “secure access to your cloud and company apps on any device.” Some of the apps and sites that are supported by OneLogin include Slack, Cisco Webex, Microsoft Office 365, LinkedIn, Amazon Web Services, and Google Analytics.

OneLogin suffered a data breach last year. In August 2016, the company informed its customers of a cleartext login bug on its Secure Notes service after “an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics,” notes ArsTechnica. At that time, the company apologized for the breach and promised to prevent any similar occurrence in the future, but clearly, it failed.

Pacemakers vulnerable to hacking

In other hacking-related news, WhiteScope, a security company, found 8,000 bugs in pacemaker programmers that can be exploited by hackers. Pacemaker programmers are the tools used to adjust and monitor the devices. The researchers also found that pacemakers don’t authenticate programmers, meaning that a working tool listed on eBay could harm patients with the implant.

The researchers also discovered that doctors‘ monitoring systems do not ask for log-in credentials when pacemakers connect to them. They also found unencrypted patients’ data, including medical conditions, names, SSNs and phone numbers, in the system. Security firm Ponemon Institute also found that only 17% of manufacturers are serious about securing their medical products.

Leave a Comment