OneLogin Password Manager Hacked; Users’ Data Can be Decrypted
OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.
"Customer data was compromised, including the ability to decrypt encrypted data,” reads the message OneLogin sent to customers. According to Motherboard, the message also directed customers to a list of required steps to minimize any damage from the breach, such as generating new API keys and OAuth tokens (OAuth being a system for logging into accounts), creating new security certificates as well as credentials; recycling any secrets stored in OneLogin’s Secure Notes feature; and having end-users update their passwords.
A threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While they encrypt certain sensitive data at rest, at this time they cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.
If they do things correctly, they should have leveraged "Zero Knowledge Privacy" of user data, which means user data is encrypted locally and sent without the key to their servers. If this is the case, the risk of the data being compromised resides in the robustness of the master password. That's why it is so important to use a very long, unique master password for those kind of service, in addition to enforcing 2 factor authentication. You really don't want to be put in a situation where you have to change 300+ credentials in a hurry.