PSA: OneLogin Breached. Here’s What You Need to Do.

This is a public service announcement from Wordfence. We are sending this notice to the WordPress community due to the widespread nature and potential severity of this security issue. It has a high likelihood of impacting some of our readers and requires immediate action on their part.

Single sign-on provider OneLogin has experienced a breach. If you or your company uses OneLogin to sign in to applications, or if you use any of their other services, you need to be aware of this and may need to take several actions immediately.

In the past 24 hours, OneLogin sent out the following notice about a security incident:

On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.

Emphasis ours; we have bolded the section that says attackers managed to decrypt encrypted data because this could be particularly damaging to OneLogin customers. You can view the full notice in this screenshot, including the necessary actions that OneLogin suggests.

This is not the first time OneLogin has experienced a breach. Their ‘secure notes’ feature was breached in August of last year.

The long list of actions OneLogin suggests users take are as follows:

  • If you replicate your directory password to provisioned applications, force a OneLogin directory password reset for your users.
  • Generate new certificates for your apps that use SAML SSO.
  • Generate new API credentials and OAuth tokens.
  • Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.
  • Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite, Workday, Namely and UltiPro.
  • Generate and apply new Desktop SSO tokens.
  • Recycle any secrets stored in Secure Notes.
  • Update the credentials you use to authenticate to third party apps for provisioning.
  • Update the admin-configured login credentials for apps that use form-based authentication.
  • Have your end users update their passwords for the form-based authentication apps that they can edit, including personal apps.
  • Replace your RADIUS shared secrets.

If you use OneLogin, you should have received an email from them with a link to an article that contains the above guidance with additional detail. The article unfortunately requires you to sign in using OneLogin to access it. Screenshot here.

OneLogin has also published a brief blog post about the incident without any additional detail.

This story is also being covered by the BBC,  The Register, Motherboard and by Brian Krebs.

Please share this with the community so that any users of OneLogin are made aware and can take immediate action to mitigate any damage.

Did you enjoy this post? Share it!

Comments

19 Comments
  • I for one am never using onelogin ever again. The rest, if smart, should consider moving away.

    • I have yet to see a piece of paper being hacked or subjected to any kind of phishing attempt or malware etc etc etc

      I write all my passwords down on a small piece of paper and then hide it when I am not around.

      Why people want to hand over their passwords to a provider they don't know so that they are subject to a single point of failure or store all their personal data in the cloud is a complete mystery to me. I think it is just laziness aka convenience. I can't think of another reason why you would do it?

      • You realize that does absolutely nothing to protect you from a breach like this right?

        "customer data was compromised, including the ability to decrypt encrypted data"

        Translation: They don't need your password when they do this. This is what gives it to them - along with all of your other data. There is not a single company/government/whatever that is 100% immune to hacks - period. It just takes a better hacker.

        • My point here refers to sites other than password managers in your case of course.

          Paypal isn't immune. Your bank isn't immune. Etc.....

      • Well you are susceptible to literal phishing where somebody finds your unencrypted paper, fire damage, you are unable to work off-site or with colleagues and if the worse happens and you are killed then do you have a plan in place for your next of kin to take over the reigns?

        Also it heavily implies that you do not have very secure passwords on your services or you would be spending a long time typing complex long randomised passwords from paper to screen.

        It also makes me think you don't have that many services because a long unsorted list of passwords would be difficult to quickly find the correct one.

        Using a password management company is scary to give that information up to a third party but it has many benefits. These companies generally take security very seriously and the breaches are few and quite far between.

        It's a massive pain to be hit by this situation but I would suggest that for most people they will be cycling their passwords because of employee churn more often than a data breach.

  • Id just written an article advising my users to think about using TFA and a password manager too. It really does seem absolutely nothing is safe. I think ill hold off publishing it.

    • Hi Daniel — I'm not sure if you're familiar with Troy Hunt, but he wrote an interesting article on the topic of whether or not to trust Password Managers: https://www.troyhunt.com/password-managers-dont-have-to-be-perfect-they-just-have-to-be-better-than-not-having-one/ (Apologies to the Wordfence crew if you don't appreciate external linking...)

      • Hi Kyle,

        In the case of Troy, I have no problem linking to his site. I'm editing your link to make it clickable.

        Troy runs haveibeenpwned.com which I'm constantly recommending on this site and recently recommended at a security talk I gave.

        Mark.

  • The list of customers suggests that whoever breached Onelogin is going to have a cornucopia of sites to snoop around in - banking, finance, tech, (including DropBox), and a lot of big brands.

    Do you think the hackers would have unrestricted access to all these customers? I am just wondering how that risk would be countered? Perhaps a restricted list of IPs?

    • You couldn't fight the damage here with an IP block list. OneLogin would have to get the services that use them to deactivate/deauth all the affected accounts. Accounts that don't have a back-up factor like email or cellphone would of-course, be screwed, and who knows how long it would take all those providers to implement a deauth? What a freaking mess.

  • Password managers are the ULTIMATE target for hackers.
    Nothing provides better ROI on their time and resources than hacking a password manager.

    To me personally, that was always obvious and that's why I never used one (and never will) and why I advise my clients against it.

    The ONLY way to keep relatively safe on the internet is to turn 2FA on any service you use and AVOID all services that don't offer 2FA.

    I currently use Google Authenticator for all my 2FA needs but am considering switching to Authy because of the sync capabilities across devices.

    However, I am concerned that this convenience will come at a price.

    What if Authy gets hacked and all my 2FA generators get stolen?

  • Would WF consider reviewing the top Password Managers?

    • 1Password is my current favorite. They haven't experienced a breach yet AFAIK.

      Mark.

      • Thanks, Mark! Any feelings one way or the other about LastPass?

        • LastPass (which I use) was hacked in the last couple of years, but the hackers were not able to access any sensitive data because of the way they hash it. I don't really know the technical details of it but I know they are absolutely fanatical about security, and also about never seeing or touching your login info in unhashed form. I've been with them for a few years now and I am pretty happy.

  • I recommend to everyone I know to NEVER use any of these password services.

    Instead, use an onboard (mobile in most cases) password manager with top notch encryption.
    I also remind people to use remote lost &wipe for their devices. (Where's my Droid as one example)

    Worst case scenario, my phone is lost or stolen and I don't immediately realize it. Have fun finding my password vault of you don't know it's there. If it's in the 1 in a billion that will know where to look, they will need high powered computing and days to break into it. By then, I've changed all of my passwords as the backup is sent daily into an on premise server with no direct access to the Internet.

    All sounds like a lot of work? I set my now 87 yr old father up five years ago in <30 minutes, and the rest of our extended family and friends in the same account of time for each.

    Laziness shouldn't be confused with convenience. Online managers are for the lazy. There are more convenient ways that are much more secure.

  • I have used Roboform for years but do NOT use their sync feature. I don't trust the cloud and this incident is a perfect example. I keep my info on my laptop and USB sticks only.
    I don't trust Dropbox, Box, One Drive, etc. either. Only use them for non-sensitive files.

  • It raises an idea in my head as to why there isn't a trusted data breach notification protocol that has been developed.

    You should be able to verify your brand with a central repository. If your company accidentally exposes passwords you publish the alert which sends out the details of all affected accounts which immediately invalidates your password on the affected service.

    I can see there is potential for abuse if this wasn't built by somebody smart. Is there some clever encryption method which would allow two parties to agree on a shared key so they can compare their two databases without actually revealing the data? So only the hits would be flagged and the non hits wouldn't be revealed as being members of a service to another service?

    Also the verification would need to be heavily restricted. It might only make sense to have individual agreements with password managers and big brands / banks.

    Seems like there is some solution in there?

  • The best system I have found so far is to create your own cloud solution, but make it easy on yourself by using existing products. No nerd needed. Use a local software password manager, such as KeePass. Your password file is encrypted by the software you choose. Store that pw file with a general cloud storage service, such as OneDrive, where your file is encrypted again. Now you can access it from anywhere, even on mobile, but you aren't placing your life inside a massive target for hackers. Additionally, your file is double encrypted. In this example, even if your specific OneDrive account was compromised, all they'd find is another encrypted file. All the benefits of a password manager, but on your own terms.