UK Cyber Schools Programme
OneLogin suffered a security breach compromising sensitive user data and the ability to decrypt encrypted data. Reuters/David Becker

Popular password manager OneLogin has suffered a massive security breach compromising sensitive user data and possibly the ability to decrypt data.

The San Francisco-based company, which offers users a single sign-on to multiple websites and services, counts about 2000 companies across 44 countries, more than 300 app vendors and over 70 software-as-a-service providers among its customers.

OneLogin initially disclosed the attack in a brief blog post on Thursday (1 June) offering few details, but later updated it with more information about the attack.

"Although our review is ongoing and the facts subject to change, we wanted to provide you with an update about the facts we know thus far," OneLogin said.

The company said the attack began around 2AM PST on 31 May. Hackers managed to infiltrate and scour through its infrastructure for several hours before it was detected by OneLogin staff around 9AM PST.

"Our review has shown that a threat actor obtained access to a set of [Amazon Web Services] AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US," Alvaro Hoyos, the company's chief information security officer wrote.

"Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance."

OneLogin said it managed to shut down the attack "within minutes." The firm said hackers were able to access database tables that contained user information, apps and various types of keys.

"While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data," Hoyos wrote. "We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers."

The company did not offer details on the impact of the intrusion, specify how many customers were affected or name any suspected perpetrators behind the attack.

OneLogin said it is currently working with independent third-party security experts and law enforcement agencies to investigate the breach. Affected customers have been notified and provided with an extensive list of remediation steps to minimize any damage from the intrusion that go beyond simply changing one's password.

Users have been asked to generate new API keys and OAuth tokens, create new Desktop SSO tokens and credentials, recycle any secrets stored in Secure Notes and force a password reset for end-users among other steps.

"We want our customers to know that the trust they have placed in us is paramount," Hoyos wrote.

This is the second reported breach OneLogin has suffered within a year.

In August last year, OneLogin revealed that an intruder managed break into its Secure Notes service using an employee's password and exploit a cleartext logging bug to view customers' Secure Notes data in plain text before they were encrypted.