OneLogin, a major access management service (think corporate-level password manager) alerted its users yesterday of “unauthorized access” to the data of its US-based users. That kind of thing isn’t always serious… but it turns out this one sure was. An update posted today reveals the hacker may have had very deep access indeed.
“Our review has shown that a threat actor obtained access to a set of AWS keys…Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance,” read the company blog post detailing the attack.
“The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”
An email reportedly sent to users was more succinct:
All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.
Wow! That’s really bad! That indicates that the hacker obtained a level of access that some services don’t even create in the first place. End to end encryption and (nearly) zero knowledge systems exist to prevent this kind of hack in addition to the occasional National Security Letter.