OneLogin has confirmed that a bug in one of its systems allowed a hacker to view some of its users' encrypted Secure Notes.
Alvaro Hoyos, OneLogin’s chief information security officer, explains the intruder gained access to a system that stores Secure Notes, an encrypted notepad application where users can save passwords and other sensitive information.
"Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016…. Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk."
The breach is believed to have affected only a small number of users. Additionally, security personnel at the single sign-on company don't believe any other systems were compromised.
In response to the incident, OneLogin has fixed the bug. Hoyos notes the identity management solutions provider has also begun notifying customers about the incident:
"We take this matter very seriously and have retained an independent cyber security firm to assist in analysing the issue fully and make sure no stone is left unturned. We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of this incident."
At this time, it's believed the hacker initially gained access to the system on which Secure Notes are stored by compromising a OneLogin employee's password. It's not clear how that happened. Perhaps the employee fell for a phishing attack, or maybe they reused their OneLogin password for a service that suffered its own breach.
Whatever the reason, organisations like OneLogin need to make sure their employees adhere to best security practices in order to prevent a breach. They can do so by investing in a security awareness training program that educates employees about the latest digital threats.
Does this sound of interest to you?
If so, contact Metacompliance and learn how its simulated phishing, e-learning, and policy management software can bring your security awareness training program to the next level.