OneLogin, an identity management software company, announced yesterday that it suffered a data breach.
"Today we detected unauthorized access to OneLogin data in our USA data region", Alvaro Hoyos, chief information security officer at OneLogin, said in a statement.
OneLogin, a major access management service (think corporate-level password manager) alerted its users yesterday of "unauthorized access" to the data of its US-based users. "At this time, OneLogin believes that all customers served by our U.S. data centre are affected and customer data was potentially compromised", it says.
OneLogin's blog post includes no other details, aside from a reference to the company's compliance page.
Train stabbing survivor: Portland has 'white saviour complex'
Fletcher, clutching his neck wound, exited the train and got help from passengers on the platform, the affidavit said. In a previous statement, Fletcher told the city of Portland's Muslim community that they "are loved".
The company has come under fire following its announcement, both for having a system vulnerable to attack and in which the use of encryption appears to have been unable to protect the data at rest and for having required users to pass through a OneLogin barrier in order to read the company's advice and warnings relating to the attack.
The blog post had no further information or technical details about the incident - though, the post omitted that hackers had stolen sensitive customer data, which was only cursorily mentioned in an email to customers, seen by ZDNet. Apps that use the Security Assertion Markup Language (SAML) SSO feature need new certificates, and new application programming interface credentials and OAuth tokens must be generated. We have since blocked this unauthorised access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorised access happened and verify the extent of the impact of this incident.
In 2015, rival LastPass said hackers obtained some user information - although not actual passwords. "We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers", Hoyos wrote. That's a contention that has been roundly denied by the cloud providers, which say they have more security expertise than most businesses. The password service then unlocks other accounts as needed. This isn't the first time OneLogin has been targeted as it also detected unauthorized access back in August 2016.