Identity management firm OneLogin informed customers on Tuesday that some of the information they stored on the company’s servers may have been accessed by hackers.
The breach is related to Secure Notes, a feature that allows users to store sensitive information such as passwords and license keys. While these notes are protected using multiple levels of AES-256 encryption, a bug caused the data to be visible in clear text in OneLogin’s log management system before it was encrypted and stored in the database.
According to the company, hackers gained access to the system used for log storage and analytics and may have viewed the logs containing the secure notes after stealing an employee’s password.
OneLogin, which has over 1,400 enterprise customers in 44 countries around the world, says there is no evidence that other systems have been compromised. Nevertheless, the company has hired a security firm to assist its investigation into this incident.
The investigation so far revealed that the attacker had access to the log management system between July 2 and August 25. Notes updated in this timeframe are believed to be at risk, but the company says only a small subset of its customers are impacted.
The flaw causing notes to be logged in clear text has been addressed and access to the logging system has been limited to certain IP addresses and SAML-based authentication. In addition, passwords have been reset for all systems that don’t support SAML or other form-based authentication.
OneLogin started notifying impacted customers on August 29, after the initial scope of the incident was established. The company has promised to keep them updated on the investigation.
In addition to its infrastructure, flaws have also been found recently in OneLogin products. In June, a researcher revealed that hackers could have breached Uber’s WordPress-powered websites due to a serious vulnerability in OneLogin SAML SSO, a plugin that provides single sign-on via SAML. The weakness allowed attackers to bypass authentication and gain access to user accounts if they could guess the associated role names.

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Hive Ransomware Operation Shut Down by Law Enforcement
- UK Gov Warns of Phishing Attacks Launched by Iranian, Russian Cyberspies
- Dozens of Cybersecurity Companies Announced Layoffs in Past Year
- Security Update for Chrome 109 Patches 6 Vulnerabilities
- New Open Source OT Security Tool Helps Address Impact of Upcoming Microsoft Patch
- Forward Networks Raises $50 Million in Series D Funding
Latest News
- Critical Vulnerability Impacts Over 120 Lexmark Printers
- BIND Updates Patch High-Severity, Remotely Exploitable DoS Flaws
- Industry Reactions to Hive Ransomware Takedown: Feedback Friday
- Microsoft Urges Customers to Patch Exchange Servers
- Iranian APT Leaks Data From Saudi Arabia Government Under New Persona
- US Reiterates $10 Million Reward Offer After Disruption of Hive Ransomware
- Cyberattacks Target Websites of German Airports, Admin
- US Infiltrates Big Ransomware Gang: ‘We Hacked the Hackers’
