[BreachExchange] OneLogin security chief reveals new details of data breach

Wed Jun 7 22:05:27 EDT 2017

http://www.zdnet.com/article/onelogin-security-chief-new-details-data-breach/

A week after OneLogin disclosed it had been hacked
<http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/>,
the company's security chief has said that thousands of its customers may
have been affected -- but admitted that it still has a lot to learn about
how it was breached.

The company has spent the past week investigating how it was breached.

OneLogin is similar to a password manager, but also manages the identities
and login information of enterprise and corporate users -- from hospitals,
law firms, financial giants, and even newsrooms. OneLogin acts as a central
sign-in point to allow its customers -- which includes millions of staff
and end users -- to access their accounts on other popular sites and
services, like Microsoft and Google accounts.

At the end of last month, the company announced news that nobody wants to
hear.

An attacker obtained and used highly-sensitive keys for its Amazon-hosted
cloud instance from an intermediate host -- effectively breaking into its
service using its front-door key. The company added that while it encrypts
sensitive data, the attacker may have "obtained the ability to decrypt"
some information.

When we spoke on the phone Monday, Alvaro Hoyos, the company's chief
information security officer, wouldn't name the service provider, but
downplayed any connection to his company. "That's a key piece of the puzzle
of how this attack was orchestrated and launched," he said. That will be
for the unnamed forensics firm, hired to help Hoyos and the company augment
its ongoing investigation, to determine.

As it carries out its investigation, the company has held its cards close
-- and remained otherwise mum on the matter. But that lack of detail and
clarity has also left a trail of confusion behind for its customers.

We reached out to several companies affected by the breach and none would
comment or talk on the record. But some have privately expressed their
concern at the breach.

Hoyos admitted that the response by its customers had "understandably been
mixed" after it announced its systems were breached.

Some had shown alarm at the apparent ease with which the hack had been
carried out, and others questioned how the hackers had access to customer
data that could ultimately be decrypted.

The company has advised customers to change their passwords, generate new
API keys for their services, and create new OAuth tokens -- used for
logging into accounts -- as well as to create new security certificates.

One report
<https://arstechnica.com/security/2017/06/onelogin-data-breach-compromised-decrypted/>
pointed
to a corporate customer affected by the breach having to "rebuild the whole
authentication security system."

Hoyos denied that the company has a "master key" to access customer data,
but did confirm that the hacker used a single secret key to gain a foothold
to carry out the hack. "The way they gained access to our network was
through this authorized [Amazon Web Services] key," he said, adding that
both unencrypted and encrypted data was stolen.

"[The hacker] was able to potentially compromise keys and other secret
data, including passwords" during a seven-hour period in the middle of the
night, he said. The company said it uses intrusion detection to spot
threats as they happen, but that the use of an authorized key went for the
most part unnoticed.

"We encrypt secrets, like passwords and secure notes," he said, referring
to the company's proprietary note-storage system, typically used by IT
administrators to store sensitive network passwords. But other, less
sensitive data, such as names and email addresses -- the most basic
information required for companies to use the service -- were not
encrypted. (Some companies choose to add more personal information to these
unencrypted profiles, such as job titles and office location.)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170607/2bcbeb56/attachment.html>