OneLogin, a popular cloud based service for password management revealed that they have been hit by a security breach.  The company disclosed the breach on Wednesday, stating that encrypted data stored in the United States data region had been accessed from an unauthorized party.  All users in the US have been notified of the security breach are advised to take precautions.

OneLogin is an online platform that allows customers to use a single password to access all of their frequently visited websites and includes support for many popular applications as well.  With over 12 million licensed users, the company has become a popular choice for customers who require numerous passwords in their personal or even business lives.

The idea behind password managers is that a user will only need to remember one password; the rest will be stored in an encrypted state and entered automatically when needed.  In addition to making life easier for the customer, this also means that the user is more likely to choose a stronger password because it will be the only one they need to remember.   If the encryption and general security of the management system is strong enough this is actually a clever solution to the problem of too many complex password requirements.  The problem is that if encryption is not sufficient, then it is possible that all of a user’s accounts become compromised at once.

Chief information security officer Alvaro Hoyos revealed a bit more information about the security breach on the OneLogin company blog:

“We have since blocked this unauthorised access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorised access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.

While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”

The most distressing aspect of the data breach is that OneLogin has admitted that the hackers behind the incident have attained the ability to decrypt the stolen data; this would imply that they were negligent with their own encryption methods.  In an effort to minimize potential risks to user credentials, OneLogin has put forth the following security precautions:

  • All users have had a forced password reset.
  • All users have been urged to generate new security keys and certificates for all websites and applications.
  • All users have been advised to recycle any secrets stored in Secure Notes.

So far, no real damage has been reported but all users in the US were potentially compromised in the security breach.  If you are a user of the OneLogin system, you should keep an eye on all of your connected accounts over the coming weeks.