Softpedia >News >Security
Softpedia Homepage   

OneLogin Says Data Breach Affects Thousands of Customers

Although the number of customers may not be that high, the number of employees could be in the millions range

Jun 7, 2017 21:11 GMT  ·  By
OneLogin gives more details on data breach
   OneLogin gives more details on data breach

It's been a week since OneLogin disclosed that it was the victim of a data breach and the company admits that it still doesn't know much about the incident, other than the fact that thousands of its customers may have been affected. 

According to the announcement made last week, all customers serviced by the affected US server were at risk. Now, the company says that thousands of customers were affected, although it does not know how the breach came to be.

OneLogin is a service that is similar to a password manager, but takes things a step further by also managing the identities and login information of enterprise and corporate users. Its customers include hospitals, financial corporations, law firms, news rooms, and more. OneLogin allows millions of employees to access their accounts on other sites and services, including their Google accounts, for instance.

ZDNet spoke with Alvaro Hoyos, the company's chief information security officer, trying to find out if there was anything new the company had to say on the data breach, especially since there were so many unanswered questions following last week's announcement. Hoyos said that they are yet to find out the specifics of how this security breach happened.

Hacker got away with mixed data

It is known that the attacker obtained highly sensitive keys for the server from an intermediate host. This is also part of the reason why the company says that, while it encrypts sensitive data, it doesn't know yet if the attacker also obtained the ability to decrypt some information or not. Hoyos now admits that both unencrypted and encrypted data was stolen by the hacker.

"We encrypt secrets, like passwords and secure notes," Hoyos told ZDNet, but he also said that less sensitive data, such as names and email addresses, were not secured.

Regardless, the company advised customers to change passwords, generate new API keys for their services, create new OAuth tokens and new security certificates. This, of course, is a lot of work and has caused quite a bit of concern among customers.

This is the second time in the past two years that the company has suffered a security breach.