Attackers Breach Popular SSO, Identity-Management Provider

Customer information stolen from OneLogin, exposing weakness of “single point of failure” approaches

On May 31, attackers used stolen API credentials to breach OneLogin’s U.S. data center — accessing OneLogin’s infrastructure for a full seven hours before the affected instance was shut down.

OneLogin provides single sign-on (SSO) and cloud identity and access management services for over 2,000 companies in 44 countries, ranging from large enterprises to small businesses. Communication reportedly sent to OneLogin’s users indicates that the encryption keys used to encrypt customers’ data are suspected as having been compromised, saying “…customer data was Control Your Own Keyscompromised, including the ability to decrypt encrypted data”. This will likely be one of the most severe breaches we see this year. The potential exposure of passwords, credentials and certificates of millions of OneLogin users has created a disaster of epic proportions. Every single password, credential and certificate of OneLogin’s entire customer base must be changed immediately, and there is no telling how many of the stolen credentials had already been used to access services before being changed.

This case is an unfortunate example how a chain of key compromise events can lead to a massive data breach.

First, the API credentials to OneLogin’s cloud instance on AWS’s US data center were compromised, allowing unauthorized access to OneLogin’s systems. Next, it is suspected that during the breach, encryption keys were compromised, allowing the attackers to potentially decrypt data that includes very sensitive information: passwords, keys and credentials used for accessing various cloud services across very large pool of users. Cloud-based SSO services are a very lucrative target for cyber criminals because they are essentially huge pools of credentials to the millions of corporate

According to data security expert Simon Hunt,

“Businesses really need a solution that grants them full and sole control of their encryption keys at all times, so that keys and data can never be exposed to government agencies, privileged insiders, or hackers during a breach.”

Of course, hindsight is 20/20 – but it is frustrating to know that proper key management would most likely have prevented or at least significantly reduced the magnitude of compromise in the OneLogin breach. As demonstrated here and in other breaches, it is crucial to protect the data to avoid such a grim result –  if or when perimeter defenses fail.

In addition, it’s important to keep in mind that just because storing sensitive API keys and credentials in software means might be easy and straightforward, it represents a single point of failure and as we’ve seen, may lead to havoc if compromised. On the other hand, protecting them in dedicated hardware such as tokens and smart cards is complex, expensive and, more often than not, unfeasible in a cloud environment.

Dyadic Security’s mission is to provide data protection and key management that grants both usability and security and offers enterprises and service providers with solutions that are built for the digital age: allowing enterprises full control, audit and visibility to their encryption keys while using IaaS and SaaS, and also providing pure-SW based means to protect credentials, keys and secrets while eliminating the single point of failure and with security guarantees that are comparable to HW-based solutions.

Learn More. Watch the On Demand Webinar: How to Go Beyond BYOK with CYOK (Control Your Own Keys)




Oz Mishli

Oz Mishli

Oz is a cybersecurity expert, specializing in malware research and fraud prevention. He’s held both business and tech roles in the industry, and served in an elite intelligence unit of the IDF.

Subscribe to BLOG