X

OneLogin breach means you need a password fix, stat

The service says all of its data centers in the US have been hacked, with customer data "potentially compromised."

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
See full bio
Alfred Ng
2 min read
Internet safety illustration

Password managers are designed to help you keep track of all your complicated logins.

Minneapolis Star-Tribune/MCT via Getty Images

OneLogin has suffered one big breach. 

The password management company announced Wednesday that its data centers in the US had been hacked.

"OneLogin believes that all customers served by our US data center are affected and customer data was potential compromised," the company wrote in an email to its customers. 

Password managers have grown in popularity as people try to keep up with the many different passwords they have for their multitude of accounts online. 

And those passwords can be complicated: You're often asked to create each with at least 16 characters with various combinations of letters, numbers and things like asterisks and pound signs. Managers serve as a master key and store all that info as either an app or a browser extension, helping you to log in with hard-to-crack passwords. Unfortunately, because they hold a person's every password, managers are prime targets for attacks. A big case in point -- that LastPass breach in 2011. 

Alvaro Hoyos, OneLogin's chief information security officer, said the company blocked unauthorized access following the breach and is working with law enforcement and an independent security firm to figure out how the hack occurred. It has not revealed any details on how many customers were affected. 

The attackers were able to break in after getting a set of Amazon Web Services keys and breaching a smaller service provider that worked with OneLogin, Hoyos said. They found that the attack started on May 31 at about 2 a.m. PT and ended after staff noticed the breach seven hours later.

The company urged that its customers generate new keys for OAuth and security tokens for all their accounts, including passwords. OAuth exploitation was how up to 1 million people suffered a phishing attack through Google Docs last month without ever typing in their passwords.

OneLogin also recommended that any secrets stored in its Secure Notes feature be deleted. The thieves behind the breach are able to "decrypt encrypted data," according to OneLogin's email to its customers. 

The Secure Notes feature was breached before, in August 2016, according to the company. Despite using multiple levels of encryption, a bug in Secure Notes allowed hackers to break in and view those notes in the logging system.

The investigation into the hackers behind that breach is ongoing, Hoyos said.

Originally published June 1 at 7:33 a.m. PT.
Updated June 2 at 5:32 a.m. PT: Added details on how OneLogin had been breached.

Logging Out: Welcome to the crossroads of online life and the afterlife.

Technically Literate: Original works of short fiction with unique perspectives on tech, exclusively on CNET.