OneLogin security chief reveals new details of data breach

Two breaches in as many years. Is the trust gone? Alvaro Hoyos, the company's chief information security officer, answered key questions.

A week after OneLogin disclosed it had been hacked, the company's security chief has said that thousands of its customers may have been affected -- but admitted that it still has a lot to learn about how it was breached.

The company has spent the past week investigating how it was breached.
OneLogin is similar to a password manager, but also manages the identities and login information of enterprise and corporate users -- from hospitals, law firms, financial giants, and even newsrooms. OneLogin acts as a central sign-in point to allow its customers -- which includes millions of staff and end users -- to access their accounts on other popular sites and services, like Microsoft and Google accounts.
At the end of last month, the company announced news that nobody wants to hear.An attacker obtained and used highly-sensitive keys for its Amazon-hosted cloud instance from an intermediate host -- effectively breaking into its service using its front-door key. The company added that while it encrypts sensitive data, the attacker may have "obtained the ability to decrypt" some information.
When we spoke on the phone Monday, Alvaro Hoyos, the company's chief information security officer, wouldn't name the service provider, but downplayed any connection to his company. "That's a key piece of the puzzle of how this attack was orchestrated and launched," he said. That will be for the unnamed forensics firm, hired to help Hoyos and the company augment its ongoing investigation, to determine.
As it carries out its investigation, the company has held its cards close -- and remained otherwise mum on the matter. But that lack of detail and clarity has also left a trail of confusion behind for its customers.
We reached out to several companies affected by the breach and none would comment or talk on the record. But some have privately expressed their concern at the breach.
Hoyos admitted that the response by its customers had "understandably been mixed" after it announced its systems were breached.Some had shown alarm at the apparent ease with which the hack had been carried out, and others questioned how the hackers had access to customer data that could ultimately be decrypted.
The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens -- used for logging into accounts -- as well as to create new security certificates.
One report pointed to a corporate customer affected by the breach having to "rebuild the whole authentication security system."
Hoyos denied that the company has a "master key" to access customer data, but did confirm that the hacker used a single secret key to gain a foothold to carry out the hack. "The way they gained access to our network was through this authorized [Amazon Web Services] key," he said, adding that both unencrypted and encrypted data was stolen.
"[The hacker] was able to potentially compromise keys and other secret data, including passwords" during a seven-hour period in the middle of the night, he said. The company said it uses intrusion detection to spot threats as they happen, but that the use of an authorized key went for the most part unnoticed.
"We encrypt secrets, like passwords and secure notes," he said, referring to the company's proprietary note-storage system, typically used by IT administrators to store sensitive network passwords. But other, less sensitive data, such as names and email addresses -- the most basic information required for companies to use the service -- were not encrypted. (Some companies choose to add more personal information to these unencrypted profiles, such as job titles and office location.)

Comments

Popular Posts

Hacker steals data of millions of Bulgarians, emails it to local media

​Linux totally dominates supercomputers

Microsoft tries to stem its self-made collaboration-tool confusion