03 June, 2017
In a blog post published Tuesday, the single sign-on service wrote that it had detected unauthorized access to OneLogin data in its USA data region.
Yet the support page referenced in the email, a page which can only be viewed by customers logging in, allegedly added, "All customers served by our USA data center are affected; customer data was compromised, including the ability to decrypt encrypted data".More news: GOP health bill: 23M more uninsured; sick risk higher costs
More than 12 million people utilize OneLogin - Yelp, AAA, Dell, Pandora and Pinterest are among its 2,000 clients. Apps that use the Security Assertion Markup Language (SAML) SSO feature need new certificates, and new application programming interface credentials and OAuth tokens must be generated.
OneLogin said in a blog post that it couldn't rule out the possibility that hackers got keys to reading encrypted data, such as stored passwords. "We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers", Hoyos wrote. OneLogin's AWS keys were used by the attacker from a smaller, unidentified service provider in the U.S, that was able to create new virtual server instances to get visibility and perform reconnaissance into OneLogin's operations.
OneLogin is now working with independent third-party security experts and law enforcement to investigate the intrusion. In many attacks, some form of directed, spear-phishing email is often found to be a root cause.
The company did not immediately respond to a request for more information, including whether the breach allowed hackers to decrypt customer data.
Gizmodo reached out to OneLogin for comment on yesterday's breach, but had not heard back at time of writing.