Skip to main content
banner image
venafi logo

Another Key Unlocks Crime in the Cloud: OneLogin Breach Traced Back to Attacker’s Theft of a Highly Sensitive Key

Another Key Unlocks Crime in the Cloud: OneLogin Breach Traced Back to Attacker’s Theft of a Highly Sensitive Key

cloud breach
June 16, 2017 | David Bisson

OneLogin has confirmed that the theft of an authorized Amazon Web Services (AWS) API key would allow attackers to decrypt encrypted customer data. This may leave OneLogin customers struggling to find and replace impacted certificates.

On 31 May, the identity and access management software vendor first publicly confirmed a security incident in which an unauthorized party gained access to OneLogin data in the U.S. region. Alvaro Hoyos, chief information security officer for the provider, issued a statement at that time reassuring customers that OneLogin was investigating the breach:

"While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented."

Hoyos's statement provided little details about the incident. But emails sent to customers and later obtained by The Register painted a clearer picture. These messages linked to a customer-only support page containing further details about what happened. As quoted by The Register:

"All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data."

The page went on to recommend a series of actions customers should take while OneLogin investigated the breach. Those efforts included generating new certificates for apps that use SAML SSO. According to Meta SaaS, “this is most likely a multi-week undertaking followed by extensive security audits. Undoudebtly this will be expensive and time-consuming.”

The provider learned more about the breach over the following days. A week after first publicly disclosing the incident, OneLogin revealed that the attackers had gotten into the company by stealing and using keys for its Amazon-hosted cloud instance from an intermediate host. Hoyos declined to identify the host for ZDNet. But he did confirm the intrusion vector:

"The way they gained access to our network was through this authorized key…. [The hacker] was able to potentially compromise keys and other secret data, including passwords."

Hoyos went on to say that OneLogin at that time did use intrusion detection systems to spot potential security incidents. However, he noted the company was unable to spot the unapproved use of an authorized key. This oversight enabled the intruders to access the provider's systems and potentially exfiltrate customer data for a seven-hour period during the middle of the night.

Compromised data is a serious security risk of all types of weak key management. Unfortunately, it's not the only one. Cyber criminals can exploit inadequate key management practices to install their own backdoor keys, pivot to mission critical systems, circumvent security controls, and gain unauthorized access to important servers.

To protect against types of threats, organizations need to protect their keys. This process begins with building an inventory. Knowing where their keys are, such as whether they're in the cloud or stored with partners, provides companies with knowledge of those keys' use. From there, enterprises can identify vulnerabilities, remediate security issues, and monitor for compliance violations or other risks.

Don't know where your keys and certificates are? Gain complete visibility today.

Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

David Bisson
David Bisson

David is a Contributing Editor at IBM Security Intelligence.David Bisson is a security journalist who works as Contributing Editor for IBM's Security Intelligence, Associate Editor for Tripwire and Contributing Writer for Gemalto, Venafi, Zix, Bora Design and others.

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud

Venafi Cloud manages and protects certificates

* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
* Please fill in this field
* Please fill in this field
* Please fill in this field

End User License Agreement needs to be viewed and accepted

Already have an account? Login Here

get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more