OneLogin Announces Security Breach That Exposed Customer “Secure Notes”
OneLogin has announced a server security breach that allowed an intruder to take a peek at customer Secure Notes thanks to a bug in the company’s logging procedures.
The San Francisco-based startup, which provides a relatively popular SSO (Single-Sign-On) service, has detailed a series of misfortunate events that led to a serious and embarrassing security breach.
Hacker had access to the server for almost two months
OneLogin says that the data breach started when an attacker managed to gain access to one of its employees’ credentials for a server used to store logs and analytics information.
The attacker accessed that system between July 2, 2016, and August 25, when the company discovered the intrusion.
While in normal circumstances the attacker would have been greeted by a bunch of boring and useless log lines, OneLogin says that a bug in the logging system exposed data from Secure Notes in clear text.
Bug stored encrypted data in cleartext in OneLogin’s logs
OneLogin offers Secure Notes to its customers as a notepad utility that stores text information on the company’s servers in an encrypted format. On its website, the company even recommends customers to use Secure Notes for storing passwords and license keys.
According to Alvaro Hoyos, OneLogin’s Chief Information Security Officer, the Secure Notes system that encrypts the data using multiple levels of AES-256 encryption had a bug that caused the notes to be visible in the logs in their cleartext form.
The intruder had access to all Secure Notes created and edited between July 25 and August 25, the period in which the bug was present in the system, and the attacker accessed the server.
No OneLogin user details exposed
OneLogin says that, besides the content of some Secure Notes, customer personal information was never in danger, nor were other OneLogin systems.
In the meantime, Hoyos says OneLogin boosted server security with SAML-based authentication and whitelisted access to internal systems to only a limited set of internal IP addresses.
OneLogin says it also reset all passwords for all systems that don’t support SAML authentication, as a precautionary measure, in case the attacker managed to escalate their access to other pieces of their infrastructure.
The company is currently notifying users of the incident and letting them know that some of their Secure Notes might have been exposed, so they could take precautionary measures. A copy of this email can be read below.
— Troy Hunt (@troyhunt) August 30, 2016