Pinterest Stumbleupon Whatsapp

We’re big fans of password managers How Password Managers Keep Your Passwords Safe How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More here at MakeUseOf. They make your life easier, speed up a lot of processes, and improve your security. But they also concentrate your sensitive password information in a single place — and that can be dangerous.

Case in point: OneLogin, the producer of an enterprise-level single sign-on and password management app, was hacked on May 31st, 2017. And that’s really bad news. Here’s what happened, what you should do, and some lessons we can learn.

What Happened at OneLogin?

Here’s what OneLogin says:

“…a threat actor used one of our AWS keys to gain access to our AWS platform via API from an intermediate host with another, smaller service provider in the US…”

What does that mean? It means that someone was looking through OneLogin’s sensitive data. And while much of that data is encrypted, OneLogin believes that the attackers were able to decrypt at least some of the data.

As soon as OneLogin techs detected the intrusion, they shut down the systems that were infiltrated. Unfortunately, it’s been reported that they didn’t detect the intrusion until seven hours after it started. That’s a long time to be poking through sensitive data.

What sort of data might the attackers have had access to?


“The threat actor was able to access database tables that contain information about users, apps, and various types of keys.”

While it’s unclear exactly what the scope of that list is, it’s definitely a lot of sensitive stuff.

To their credit, OneLogin has been very forthright about this incident. They’ve kept an updated blog post on their site, communicated with customers about the attack, and provided advice on what to do. There’s no indication so far that the company has obfuscated what happened. (Though they may have downplayed the seriousness of the attack somewhat.)

What You Should Do If You Use OneLogin

OneLogin quickly released a guide to help users mitigate any effects of the attack (The Register also posted this list for non-customers). The list includes password resets, new authentication tokens, getting rid of secure notes, and a number of other technical, administrator-level suggestions.

onelogin hack

If you’re a user of OneLogin though, the obvious course of action is much simpler: change your passwords and update your authentication tokens. It’s going to take a while, but it’s worth doing, because there’s a very good chance that someone has access to everything you stored in your account. Change your master password, change the passwords to your apps, change everything that you stored in OneLogin.

And trash your secure notes.

Yes, it’s going to suck. But it’s going to suck a lot less than having one of your important services taken over by an attacker (or, possibly worse, held for ransom).

What We Can Learn From the OneLogin Hack

The first, and most worrying, lesson is clear: single sign-on (SSO) and password management companies are not immune to security threats. These companies know that security is a big deal to their customers, and that they hold a huge amount of valuable information.

But bad things happen. In this case, the API keys that gave the attackers access to OneLogin originated “from an intermediate host with another, smaller service provider in the U.S.” Despite OneLogin’s dedication to security, another company’s shortcomings may have let the attackers in.

Unfortunately, no company is hack-proof. Password management and SSO companies take security very seriously, and generally do a good job of it. But this was bound to happen.

Going forward, what can you do? Here are a few things to keep in mind when using these types of services.

Storing Everything in One Place Is a Bad Idea

Obviously you’re going to keep your passwords in your password management app. But should it be the repository for all of your sensitive information? Maybe not.

It’s easy to use LastPass’s secure notes, for example, to keep your bank account information or your home Wi-Fi password. But if that service gets hacked, you’re now looking at even more problems. You might have your credit card information stored already. Yet if you add a few more key pieces of information 10 Pieces of Information That Are Used to Steal Your Identity 10 Pieces of Information That Are Used to Steal Your Identity According to the US Bureau of Justice, identity theft cost victims over $24 billion in 2012, more than household burglary, motor, and property theft combined. These 10 pieces of information are what thieves are looking... Read More , identity theft becomes much easier.

Consider using another encrypted service that doesn’t store information in the cloud, like SplashID, or just encrypt and password protect a folder on your computer How to Password Protect a Folder in Windows How to Password Protect a Folder in Windows Need to keep a folder private? Here are a few different methods how you can password protect your files on a Windows 10 PC. Read More . It’s slightly less convenient, but it could significantly reduce the amount of difficulty in the case of a breach.

Think Twice About Single Sign-On

SSO is great because it saves a ton of time and keeps your passwords to a minimum. OpenID, signing in with social network credentials Using Social Login? Take These Steps to Secure Your Accounts Using Social Login? Take These Steps to Secure Your Accounts If you're using a social login service (such as Google or Facebook) then you might think everything is secure. Not so -- it's time to take a look at the weaknesses of social logins. Read More , and other similar methods are quite popular. (To be completely honest, I use these myself.)

single sign-on google

The more secure option is to simply open an account with your email address for every site. If you’re using a password manager, this is easy. Not quite as easy as OAuth or a similar one-click sign-on, but it’s definitely more secure How Millions of Apps Are Vulnerable to a Single Security Hack How Millions of Apps Are Vulnerable to a Single Security Hack OAuth is an open standard used to allow you to login to a third-party app or website by using a Facebook, Twitter, or Google account -- and it's vulnerable to hackers. Read More .

To be fair, some people do encourage the use of single sign-on as a security practice. Weigh your options.

Use Two-Factor Authentication on Important Services

We’ve talked about two-factor authentication countless times, but if you’re not familiar with it, read all about it What Is Two-Factor Authentication, And Why You Should Use It What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More and learn which services can use it Lock Down These Services Now With Two-Factor Authentication Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More . Then turn it on.

Which services should you use two-factor authentication for? In short, as many as you can. Your most important services, like email, banking, and cloud storage, should definitely be protected by it. Anything else is a bonus. Do it now.

Stay Sharp

OneLogin users learned a hard lesson: no service is 100 percent secure. This was a particularly harsh way to learn this lesson, but in the long run, it may be for the best. If you’re a OneLogin user, you should get busy picking up the pieces. If you’re not, consider yourself lucky, and take steps to make sure it doesn’t happen to you.

Were you affected by the OneLogin hack? Does it make you think twice about password managers or single sign-on apps? Share your thoughts in the comments below!

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. ReadandShare
    June 19, 2017 at 4:52 pm

    LastPass claims it cannot decrypt your files alone. So that means if LP is hacked, user data will remain safe??

    • ReadandShare
      June 19, 2017 at 4:54 pm

      Brute force attacks notwithstanding...