OneLogin reports security breach that exposed customers' 'Secure Notes' data in clear text

Cloud-based identity access service OneLogin has announced a server security breach that allowed a hacker to access customer Secure Notes data due to a bug in the company's logging system. The company said the breach occurred when an intruder managed to gain access to its logging system that stores logs and analytics information using a OneLogin employee's password.

Announced in a blog post on 30 August, the company said a bug in the logging system exposed data in its Secure Notes facility — a feature that allows customers to securely store text information such as licence keys and firewall passwords on the company's servers in an encrypted format using multiple levels of AES-256 encryption.

However, the company said the bug caused the Secure Notes data to be visible in the company's logging system prior to being encrypted and stored in its database.

"Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016," OneLogin chief information security officer Alvaro Hoyos wrote. "Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk."

The San Francisco-based company said the breach has impacted a "small subset" of its customers and is working with them directly on the issue. It also noted that the cleartext logging bug was fixed on the same day they detected. Access to the log management system has also been restricted to just SAML-based authentication. Only a limited set of internal IP addresses are allowed to access the system.

As a precautionary measure, OneLogin has reset all passwords for external systems that don't support SAML or allow alternate forms-based authentication.

"We take this matter very seriously and have retained an independent cybersecurity firm to assist in analysing the issue fully and make sure no stone is left unturned," Hoyos wrote. "We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of this incident."

OneLogin's announcement comes on the heels of the several data breaches that have compromised millions of customer accounts and highlighted the common, yet dangerous online practice of re-using old passwords across multiple accounts and platforms.

Last week, Opera urged users of its web sync feature to reset their passwords following a breach that potentially compromised the data of about 1.7 million active users. Dropbox also recently prompted users who signed up for the service prior to mid-2012 to reset passwords as a precautionary measure in response to the massive LinkedIn hack in 2012.