Enterprise access management firm OneLogin has suffered an embarrassing breach tied to a single employee’s credentials being compromised.
OneLogin on Tuesday revealed the breach affected a feature called Secure Notes that allowed its users to “store information”. That feature however is pitched to users as a secure way to digitally jot down credentials for access to corporate firewalls and keys to software product licenses.
The firm is concerned Secure Notes was exposed to a hacker for at least one month, though it may have been from as early as July 2 through to August 25, according to a post by the firm. Normally these notes should have been encrypted using “multiple levels of AES-256 encryption”, it said in a blog post.
Several thousand enterprise customers, including high profile tech startups, use OneLogin for single sign-on to access enterprise cloud applications. The company has championed the SAML standard for single sign-on and promises customers an easy way to enable multi-factor authentication from devices to cloud applications.
But it appears the company wasn’t using multi-factor authentication for its own systems.
OneLogin’s CISO Alvaro Hoyos said a bug in its software caused Secure Notes to be “visible in our logging system prior to being encrypted and stored in our database”. The firm later found out that an employees compromised credentials were used to access this logging system.
OneLogin says a “small subset” of its customers’ Secure Notes may have been exposed by the breach, however as a matter of caution it’s advised customers that notes from June 2 may have been exposed to the attacker.
“Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016,” OneLogin said.
“Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk.”
The firm said it fixed the bug causing notes to be stored in the clear on the day it detected the bug. It also also implemented SAML-based authentication for its log management system and restricted access to a limited set of IP address.
“We take this matter very seriously and have retained an independent cybersecurity firm to assist in analyzing the issue fully and make sure no stone is left unturned,” wrote Hoyos.
“We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of this incident.”