Reported yesterday May 31st, 2017 in a blog post written on OneLogin by Chief Information Security Officer of OneLogin, Alvaro Hoyos; there has been a data breach to the US Operating Region. The public post is quite vague about how it actually happened although it does say "The threat actor was able to access database tables that contain information about users, apps, and various types of keys." Alvaro continued on to say that while the information is decrypted, the threat actor might have been able to gather information to decrypt the information.
Also, there appears to be an article available only to OneLogin customers that stated the following information. Please keep in mind that we haven't been able to verify this information as we do not have a OneLogin account, but there have been multiple customers saying that THIS LINK is where you can find the below text.
On Wednesday, May 31, 2017 we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore have created a set of required actions:
Passwords for accessing OneLogin should not be reset unless SSO Password is enabled.
Generate new certificates for your apps that use SAML SSO.
For information about generating new certificates, see Creating and Applying Certificates.
For information about providing the new certificate to the SAML app, see the app-specific documentation in the App Integration section.
Generate new API credentials and OAuth tokens.
For legacy API keys, see developers.onelogin.com/api-docs/v1-v3/getting-started/using-the-onelogin-api
For current API keys, see developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials
For refreshing OAuth tokens, see developers.onelogin.com/api-docs/1/oauth20-tokens/refresh-tokens
Generate new directory tokens.
Generate new Desktop SSO tokens and credentials.
If you replicate your directory password to provisioned applications (using the SSO Password feature), force a password reset for your users.
To confirm whether you provision the directory password to an app, go to the Parameters tab for that app and look for the Password parameter. If it is mapped to SSO Password, then you should force a password reset.
Recycle any secrets stored in Secure Notes.
See Secure Notes.
Update the credentials you use to authenticate to 3rd party apps for provisioning.
Some apps use OAuth, others use API keys. For information about the apps you use, view the provisioning doc for those apps in the App Integration section.
Update the admin-configured login credentials for apps that use form-based authentication.
See Adding a Form-Based Application.
Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps.
See Changing Usernames and Passwords for Form-Based Apps.
Replace your RADIUS shared secrets.
See Configuring the RADIUS Server Interface.
If you have questions or need assistance please contact us at email@example.com.
Now some of you might be familiar with CloudBleed from earlier this year, but this seems to be an even bigger issue than the CloudBleed ever was especially with how long the threat actor had access to the information before anything was updated to prevent this from occurring.
As always, if you do have a OneLogin account, please make sure that you update all of your credentials and look at using another service for your password saving solutions. But this also brings up the question, is writing your passwords down on a piece of paper and storing it somewhere locked up safer than through an online password manager?
Let us know your thoughts and if you were effected by this OneLogin Breach.