James Thew - Fotolia

Users' SSO information at risk after OneLogin security breach

News roundup: OneLogin security breach puts SSO data at risk but is vague about the details. Plus, Gmail boosts its phishing detection features, and more.

Password management provider OneLogin notified its customers on May 31 that it detected unauthorized access to user data.

The company, which provides single sign-on and identity management services for enterprises, issued a statement alerting the public to the OneLogin security breach. However, the original statement from OneLogin's CISO Alvaro Hoyos was vague about the details of the attack.

"Today we detected unauthorized access to OneLogin data in our US data region," Hoyos wrote in the initial blog post. "We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident."

The initial statement from Hoyos about the OneLogin security breach didn't offer any more details than that and linked to a page on OneLogin's compliance program where vulnerability reports can be submitted; a day later, Hoyos updated the blog post with further details on the timing, methods and customer impact of the incident.

"The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers," Hoyos wrote.

Despite saying that the company reached out to its customers "with specific recommended remediation steps," the email sent to customers was also lacking specifics about the OneLogin security breach.

After repeating much of the same information included in the public statement, the email linked to a support page that users can only view after logging into their OneLogin account.

Emails sent to some OneLogin customers also included the detail that "customer data was compromised [in the OneLogin security breach], including the ability to decrypt encrypted data."

Motherboard reported that the support page for the data breach told users to generate new API keys and OAuth tokens, create new security certificate and credentials, recycle any secrets stored in the Secure Notes feature that allows users to store information such as passwords and license keys, and have end users update their passwords.

This is the second OneLogin security breach that the company has suffered in the last year. In August 2016, the company informed its customers that hackers gained access to the Secure Notes feature. The information in Secure Notes was protected by AES-256 encryption, but a vulnerability in OneLogin's implementation made the encrypted data visible as plain text.

In other news

  • Google bolstered its security features for enterprises using Gmail with new phishing protection measures. The updates focus on the early detection of phishing and spam messages and uses machine learning. "Machine learning helps Gmail block sneaky spam and phishing messages from showing up in your inbox with over 99.9 percent accuracy," Google's senior product manager, Andy Wen wrote in a blog post. "This is huge, given that 50-70 percent of messages that Gmail receives are spam." Wen explained that the early phishing detection system delays messages to perform phishing analysis on them. This feature combines with Google Safe Browsing to find and flag questionable URLs. "As we find new patterns," Wen said, "our models adapt more quickly than manual systems ever could, and get better with time." This update follows closely on the heels of a Google Docs phishing attack that abused OAuth to give hackers full access to a victim's Gmail account.
  • The director of the Office of Management and Budget Mick Mulvaney issued a memorandum for the agencies in the executive branch as a follow-up to the cybersecurity executive order President Trump signed on May 11. The executive order mandated that the executive agencies have to adopt the Federal Information Security Modernization Act of 2014 (FISMA), and the memorandum from Mulvaney outlined how this should be done and on what schedule. The first deadline in the memorandum said that the agencies must decide who will head the efforts to implement the FISMA framework by May 26. Federal agencies have until July 14 to submit their action plan for implementing the FISMA cybersecurity framework, and must respond by Aug. 9 to the individual risk assessments done of each agency.
  • Cisco and IBM Security said this week that they are teaming up to fight cybercrime. "In a new collaboration, Cisco and IBM Security will work closely together across products, services and threat intelligence for the benefit of customers," IBM said in a press release. "Cisco security solutions will integrate with IBM's QRadar to protect organizations across networks, endpoints and cloud. Customers will also benefit from the scale of IBM Global Services support of Cisco products in their Managed Security Service Provider offerings. The collaboration also establishes a new relationship between the IBM X-Force and Cisco Talos security research teams, who will begin collaborating on threat intelligence research and coordinating on major cybersecurity incidents." The IBM and Cisco security research teams recently collaborated to share threat intelligence on the WannaCry ransomware attacks.

Next Steps

Learn how enterprises can manage user risk in major password breaches

Discover how password management tools open partner opportunities

Find out why password management tops list of access control issues

Dig Deeper on Identity and access management