Password manager and single sign on company OneLogin is warning users of a security breach that could expose potentially anything encrypted through their services. Hackers managed to steal a set of Amazon Web Service keys and use those to decrypt all kinds of customer data.
According to OneLogin Chief Information Security Officer Alvaro Hoyos,
The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.
The OneLogin customer support page paints an even bleaker picture saying, “All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.”
In other words, if you’re a U.S. based OneLogin customer every bit of data you have stored with their services is open and accessible to the hackers. OneLogin’s encryption, in this case, is essentially worthless.
OneLogin has an multistep guide customers can use to secure their data and client login credentials, although at this point any encryption or data protection system the company offers is suspect. Based on the severity of the hack, it seems OneLogin has the ability to access all client data—something other companies intentionally can’t do specifically to avoid scenarios like this.
The company says it’s working with law enforcement and an independent third-party company to investigate the breach. Hopefully that third-party company is suggesting a less fragile encryption system.