Identity management firm OneLogin informed customers on Tuesday that some of the information they stored on the company’s servers may have been accessed by hackers.
The breach is related to Secure Notes, a feature that allows users to store sensitive information such as passwords and license keys. While these notes are protected using multiple levels of AES-256 encryption, a bug caused the data to be visible in clear text in OneLogin’s log management system before it was encrypted and stored in the database.
According to the company, hackers gained access to the system used for log storage and analytics and may have viewed the logs containing the secure notes after stealing an employee’s password.
OneLogin, which has over 1,400 enterprise customers in 44 countries around the world, says there is no evidence that other systems have been compromised. Nevertheless, the company has hired a security firm to assist its investigation into this incident.
The investigation so far revealed that the attacker had access to the log management system between July 2 and August 25. Notes updated in this timeframe are believed to be at risk, but the company says only a small subset of its customers are impacted.
The flaw causing notes to be logged in clear text has been addressed and access to the logging system has been limited to certain IP addresses and SAML-based authentication. In addition, passwords have been reset for all systems that don’t support SAML or other form-based authentication.
OneLogin started notifying impacted customers on August 29, after the initial scope of the incident was established. The company has promised to keep them updated on the investigation.
In addition to its infrastructure, flaws have also been found recently in OneLogin products. In June, a researcher revealed that hackers could have breached Uber’s WordPress-powered websites due to a serious vulnerability in OneLogin SAML SSO, a plugin that provides single sign-on via SAML. The weakness allowed attackers to bypass authentication and gain access to user accounts if they could guess the associated role names.
