PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Brace for Impact! OneLogin Has Been Hacked & Encrypted Data is Vulnerable

Tim Sloane by Tim Sloane
June 5, 2017
in Analysts Coverage
0
FRAUD - 3D stock image of Red text on white background

FRAUD - Red text on typography background - 3D rendered royalty free stock image. This image can be used for an online website banner ad or a print postcard.

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

 This is another “worst case” incident for the centralized management of credentials. OneLogin’s web site states “OneLogin simplifies Identity and Access Management (IAM) for a more efficient, secure enterprise, delivering an identity management software solution in the cloud trusted by thousands of customers”. It’s clear that trust is now obliterated and it’s likely FIs will now need even greater justification and vetting of suppliers before further considering a trip to the cloud.

 

“Password manager and single sign-on provider OneLogin has been hacked.
In a brief blog post, the company’s chief security officer Alvaro Hoyos said that it was aware of “unauthorized access to OneLogin data in our US data region,” and that it had reached out to customers.

Hoyos said that the company had blocked the unauthorized access after the breach and is working with law enforcement.
The blog post initially lacked detailed information about the incident, although the post had omitted that hackers had stolen sensitive customer data — a point that the company had instead only mentioned in an email sent to customers, seen by ZDNet.

“OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised,” the email read.
Later in the day, the company said in an update: “Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.”

The company confirmed that the attack appears to have started at 2am (PT), but staff were alerted of unusual database activity some seven hours later, who “within minutes, shut down the affected instance as well as the AWS keys that were used to create it”.

“The threat actor was able to access database tables that contain information about users, apps, and various types of keys,” the company said.

The company added that although it encrypts “certain sensitive data at rest,” it could not rule out the possibility that the hacker “also obtained the ability to decrypt data”.
But a spokesperson did not say what kind of data is and isn’t encrypted. We have asked for clarity, and will update when we hear back.
Some had questioned earlier in the day how the hackers had access to customer data that could ultimately be decrypted.

“Am I the only 1 to find it disturbing OneLogin had a decryption method for customer data accessible enough to be grabbed via breach?” said one user on Twitter.

The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens — used for logging into accounts — as well as to create new security certificates. The company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.

The company also hasn’t said how many customers were affected.

According to its website, dozens of major multinationals, including ARM, Dun & Bradstreet, The Carlyle Group, Conde Nast, and Dropbox (which a spokesperson disputed in an email), are customers.

OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It’s thought that the company has millions of users serving more than 2,000 companies in dozens of countries, according to CrunchBase.

The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft’s Office 365, LinkedIn, Slack, Twitter, and Google services.

It’s the second such breach in as many years. Last August, the company warned users that its Secure Notes service had been accessed by an “unauthorized user,” but it denied that any customer data had been compromised.”

Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Service

Read the full story here

Tags: Fraud Risk and Analytics
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Javelin Strategy & Research analysts and industry professionals.

    Must Reads

    Eco-Focused Payment Cards Help Pave the Way for a Sustainable Future

    Eco-Focused Payment Cards Help Pave the Way for a Sustainable Future

    October 4, 2023
    money-laundering, money laundering

    AI Can Alleviate Money-Laundering Frustrations

    October 3, 2023
    Online Grocery Sales Efforts Take A Giant (Stores) Step Forward

    Did Payments Innovation Kill Brick-and-Mortar?

    October 2, 2023
    open-banking Data-Sharing as a Solution to Cash Flow Issues standa

    Disjointed Open-Banking System in U.S. Leaves Opening for Permissioned Data Providers

    September 29, 2023
    FedNow

    FedNow Could Mean a Renaissance for Smaller Financial Institutions

    September 28, 2023
    Best Merchant Practices for Dealing with Supply Chain Disruption

    Nearly Half of Merchant Data is Probably Wrong. Here’s Why it Matters.

    September 27, 2023
    Mitigation of P2P Fraud Begins with Education

    Mitigation of P2P Fraud Begins with Education

    September 26, 2023
    digital payments

    Mass A2A Payment Adoption in The U.S. Contingent on Compelling USP

    September 25, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result