OneLogin Breach traced back to AWS Key Compromise

Earlier this week password vault service OneLogin detected unauthorized access to its data. OneLogin CISO Alvaro Hoyos posted Wednesday:

“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident.”

OneLogin later posted an update:

“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”

Securing AWS is complicated. There are a large number of possible roles and permissions which, if configured incorrectly, could lead to unintentional key and data compromise. An Engage Identity Cloud Security Audit can help your company understand the most secure cloud configuration for your needs. No one currently knows how OneLogin’s AWS keys became compromised, but it is entirely possible that they were exposed due to a misconfigured permission.

If you were affected by the OneLogin breach, you will be notified, and you should change all your passwords immediately.  Despite this breach, password vaults are still the best way to ensure that all your passwords are long, random, and unique. “It is significantly easier to attack targets who use the same password everywhere,” says Benjamin Caudill, Founder of penetration testing company Rhino Security Labs. “We recommend that all of our clients utilize password management services, even after this incident.”

In addition to password management services, your accounts can be further protected with implementation of two-factor authentication. This is one of the many services provided by Engage Identity. If you’d like to learn more, contact us right away.