OneLogin has confirmed that the theft of an authorized Amazon Web Services (AWS) API key would allow attackers to decrypt encrypted customer data. This may leave OneLogin customers struggling to find and replace impacted certificates.
On 31 May, the identity and access management software vendor first publicly confirmed a security incident in which an unauthorized party gained access to OneLogin data in the U.S. region. Alvaro Hoyos, chief information security officer for the provider, issued a statement at that time reassuring customers that OneLogin was investigating the breach:
"While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented."
Hoyos's statement provided little details about the incident. But emails sent to customers and later obtained by The Register painted a clearer picture. These messages linked to a customer-only support page containing further details about what happened. As quoted by The Register:
"All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data."
The page went on to recommend a series of actions customers should take while OneLogin investigated the breach. Those efforts included generating new certificates for apps that use SAML SSO. According to Meta SaaS, “this is most likely a multi-week undertaking followed by extensive security audits. Undoudebtly this will be expensive and time-consuming.”
The provider learned more about the breach over the following days. A week after first publicly disclosing the incident, OneLogin revealed that the attackers had gotten into the company by stealing and using keys for its Amazon-hosted cloud instance from an intermediate host. Hoyos declined to identify the host for ZDNet. But he did confirm the intrusion vector:
"The way they gained access to our network was through this authorized key…. [The hacker] was able to potentially compromise keys and other secret data, including passwords."
Hoyos went on to say that OneLogin at that time did use intrusion detection systems to spot potential security incidents. However, he noted the company was unable to spot the unapproved use of an authorized key. This oversight enabled the intruders to access the provider's systems and potentially exfiltrate customer data for a seven-hour period during the middle of the night.
Compromised data is a serious security risk of all types of weak key management. Unfortunately, it's not the only one. Cyber criminals can exploit inadequate key management practices to install their own backdoor keys, pivot to mission critical systems, circumvent security controls, and gain unauthorized access to important servers.
To protect against types of threats, organizations need to protect their keys. This process begins with building an inventory. Knowing where their keys are, such as whether they're in the cloud or stored with partners, provides companies with knowledge of those keys' use. From there, enterprises can identify vulnerabilities, remediate security issues, and monitor for compliance violations or other risks.