Following a breach of their “secure notes” feature late last year, OneLogin has notified its users of a far larger breach that occurred on May 31, 2017. Covered by the BBC, Brian Krebs (Krebs on Security) and the Wordfence blog, this breach is far more damaging and affects all OneLogin users in the United States. In addition to OneLogin user data being compromised, the attackers also gained the ability to decrypt the encrypted data stored in the environment. OneLogin has advised that the attack vector appears to have been a set of compromised AWS keys that were used to access the AWS API in an effort to conduct reconnaissance on their infrastructure.
“On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.”
All OneLogin users should do the following if they have not already done so, per OneLogin and out of an abundance of caution…
- If you replicate your directory password to provisioned applications, force a OneLogin directory password reset for your users.
- Generate new certificates for your apps that use SAML SSO.
- Generate new API credentials and OAuth tokens.
- Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.
- Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite, Workday, Namely and UltiPro.
- Generate and apply new Desktop SSO tokens.
- Recycle any secrets stored in Secure Notes.
- Update the credentials you use to authenticate to third party apps for provisioning.
- Update the admin-configured login credentials for apps that use form-based authentication.
- Have your end users update their passwords for the form-based authentication apps that they can edit, including personal apps.
- Replace your RADIUS shared secrets.
For more information, please see the OneLogin blog post related specifically to this event.