OneLogin Breach Reignites Concerns over Password Managers

Entrusting all your passwords to a single organization creates a single point of failure, experts say in the wake of a new data breach at OneLogin.

A security breach at OneLogin this week has stirred familiar concerns about the problems organizations can encounter when they entrust all of their login credentials to a single password management service.
In a brief
alert
Wednesday, OneLogins chief information security officer Alvaro Hoyos said the company had detected unauthorized access to its data in the US. The statement did not indicate the nature of the intrusion, or of the compromised data. Neither did it provide any information on how many customers of OneLogins single sign-on (SSO) and cloud identity management service were impacted.
OneLogin did not respond to a Dark Reading request for comment on the incident.
In an email sent to customers this week, the company said all customers served by OneLogins US data center had been impacted. Over 2,000 enterprises globally use OneLogin for password management. It is unclear how many of them are US-based and if the intrusion impacted all of them.
The data that was compromised included the keys for decrypting encrypted customer data, the company said in the email, which
Motherboard
obtained from affected customers.
The message also contained a laundry list of tasks for customers to implement in order to mitigate their exposure to the theft. The
steps
OneLogin provided its customers include generating new certificates for applications that use SAML and SSO, generating new API and OAuth API keys, and generating new directory tokens and desktop SSO tokens. In addition, OneLogin urged organizations to force a password reset for users if they used SSO for application access.
OneLogins instructions to customers suggest the company is still figuring out the extent of the breach and is not taking any chances, says Ken Spinner, vice president of field engineering at Varonis Systems.
If I were a OneLogin customer, I would assume the worst and act accordingly, he says. In the past we’ve seen companies initially report that a breach was confined to only a handful of customers only later to realize that it was far worse
.
The data breach is another reminder of the risks organizations are taking in entrusting all of their passwords to a single vendor. Security experts generally consider the use of password managers a best practice because the technology can help organization implement and enforce strong password practices. However, the downside is that password managers can also become a single point of failure.
OneLogin and servlces like it are what I call the holy grail of hacking targets, says Paul Calatayud, CTO at security vendor FireMon. Many security-minded companies and individuals rely on these services to reduce the complexity of password management by essentially creating a master key that holds more complex passwords in one location.
A hacker that gains access to these password vaults automatically gains access to all accounts for which they are used, Calatayud says.
Organizations and individuals using OneLogin will need to change every single password that was being stored in the system and do additional monitoring of their assets as a precaution. Any accounts that can be elevated to using two-factor should be. This removes the value of the passwords that are stolen because the second factor allows for additional protection, Calatayud says.
The companys instructions to its customers suggest that OneLogin had some design flaws, notes John Bambenek, threat research manager at Fidelis Cybersecurity.

Black Hat USA returns to the fabulous Mandalay Bay in Las Vegas, Nevada, July 22-27, 2017. Click for information on the
conference schedule
and
to register.

Incidents such as this highlight the need for organizations to properly vet the organizations to whom, they entrust critical infrastructure data. In this case, it’s very hard to fault an enterprise for doing business with OneLogin - they have a strong reputation, healthy funding from well-known investors, and a relatively clean security track record. he says.
But generally speaking, organizations considering password management services need to vet the security track record of any vendor they consider. Its also wise to ask them if they have outside parties test their security posture, Varonis Spinner says. Do they hire pen testers or participate in bug bounty programs that help them actively find and fix potential vulnerabilities before they result in a breach?
Also important to understand are technology issues such as the hashing algorithms they use, how they store password vaults, and what kind of security controls they use on the servers that store customer data, Spinner notes.
Related Content:
Password Manager LastPass Hacked
123456 Leads The Worst Passwords Of 2016
Striving For Improvement on World Password Day
More than Half of Security Pros Rarely Change their Social Network Passwords

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
OneLogin Breach Reignites Concerns over Password Managers