OneLogin security chief reveals new details of data breach

Two breaches in as many years. Is the trust gone? Alvaro Hoyos, the company's chief information security officer, answered key questions.
Written by Zack Whittaker, Contributor

(Image: file photo)

A week after OneLogin disclosed it had been hacked, the company's security chief has said that thousands of its customers may have been affected -- but admitted that it still has a lot to learn about how it was breached.

The company has spent the past week investigating how it was breached.

OneLogin is similar to a password manager, but also manages the identities and login information of enterprise and corporate users -- from hospitals, law firms, financial giants, and even newsrooms. OneLogin acts as a central sign-in point to allow its customers -- which includes millions of staff and end users -- to access their accounts on other popular sites and services, like Microsoft and Google accounts.

At the end of last month, the company announced news that nobody wants to hear.

An attacker obtained and used highly-sensitive keys for its Amazon-hosted cloud instance from an intermediate host -- effectively breaking into its service using its front-door key. The company added that while it encrypts sensitive data, the attacker may have "obtained the ability to decrypt" some information.

When we spoke on the phone Monday, Alvaro Hoyos, the company's chief information security officer, wouldn't name the service provider, but downplayed any connection to his company. "That's a key piece of the puzzle of how this attack was orchestrated and launched," he said. That will be for the unnamed forensics firm, hired to help Hoyos and the company augment its ongoing investigation, to determine.

As it carries out its investigation, the company has held its cards close -- and remained otherwise mum on the matter. But that lack of detail and clarity has also left a trail of confusion behind for its customers.

We reached out to several companies affected by the breach and none would comment or talk on the record. But some have privately expressed their concern at the breach.

Hoyos admitted that the response by its customers had "understandably been mixed" after it announced its systems were breached.

Some had shown alarm at the apparent ease with which the hack had been carried out, and others questioned how the hackers had access to customer data that could ultimately be decrypted.

The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens -- used for logging into accounts -- as well as to create new security certificates.

One report pointed to a corporate customer affected by the breach having to "rebuild the whole authentication security system."

Hoyos denied that the company has a "master key" to access customer data, but did confirm that the hacker used a single secret key to gain a foothold to carry out the hack. "The way they gained access to our network was through this authorized [Amazon Web Services] key," he said, adding that both unencrypted and encrypted data was stolen.

"[The hacker] was able to potentially compromise keys and other secret data, including passwords" during a seven-hour period in the middle of the night, he said. The company said it uses intrusion detection to spot threats as they happen, but that the use of an authorized key went for the most part unnoticed.

"We encrypt secrets, like passwords and secure notes," he said, referring to the company's proprietary note-storage system, typically used by IT administrators to store sensitive network passwords. But other, less sensitive data, such as names and email addresses -- the most basic information required for companies to use the service -- were not encrypted. (Some companies choose to add more personal information to these unencrypted profiles, such as job titles and office location.)

These were 2017's biggest hacks, leaks, and data breaches

"It's not easy... because you need to be able to work with the data," he said. Unlike a password manager, which stores usernames and logins on behalf and in the hands of the individual, an identity manager's sole purpose is to store and serve a user's credentials to services that need them.

Hoyos said that the company uses a range of encryption -- at rest (in storage) and in-transit, but, "no matter how you protect it or safeguard it, that it is possible to get to that data," he argued.

This is the company's second breach in as many years. The company warned users last August that its Secure Notes service had been accessed by an "unauthorized user." Trust in the company's ability to function has been shaken once again, though it's not known if the company has lost business from the breach. The perceived effect on businesses has been profound, given the exponential impact on the breach. For every customer that's affected, thousands of their staff are sitting ducks for further hacks.

One veteran industry analyst with knowledge of the situation we spoke to (who didn't want to be named) called it a "business existential threat."

"[The] company's whole business model is based on companies allowing them to store and broker users' passwords with countless other major online services. If companies can't -- or no longer are willing to -- trust them to do that, they have no business," the analyst said.

Hoyos said that the company is learning the lessons from the attack, by encrypting more data, and investing in greater monitoring and adding more technical support staff.

"We're also investigating our ability to encrypt and decrypt, and how we manage our keys in that process," he said.

Editorial standards