Top Categories

Spotlight

todayMarch 28, 2020

Case Study Mjolnir Security

Attack Type – Exploitation of novel / 0-day vulnerability

Scenario: Org2 is a specialist technology company based in the UK. The Org2 IT security operations team responded to an alert from its corporate anti-virus provider that a copy of password stealing malware had been found on three of its domain controllers. This was a serious incident, and an investigation [...]

Top Voted
Sorry, there is nothing for the moment.

OneLogin Breached. Here’s What You Need to Do.

News + Breach Mjolnir Security todayJune 1, 2017

Background
share close

Single sign-on provider OneLogin has experienced a breach. If you or your company uses OneLogin to sign in to applications, or if you use any of their other services, you need to be aware of this and may need to take several actions immediately.

In the past 24 hours, OneLogin sent out the following notice about a security incident:

On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.

Emphasis ours; we have bolded the section that says attackers managed to decrypt encrypted data because this could be particularly damaging to OneLogin customers. You can view the full notice in this screenshot, including the necessary actions that OneLogin suggests.

This is not the first time OneLogin has experienced a breach. Their ‘secure notes’ feature was breached in August of last year.

The long list of actions OneLogin suggests users take are as follows:

  • If you replicate your directory password to provisioned applications, force a OneLogin directory password reset for your users.
  • Generate new certificates for your apps that use SAML SSO.
  • Generate new API credentials and OAuth tokens.
  • Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.
  • Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite, Workday, Namely and UltiPro.
  • Generate and apply new Desktop SSO tokens.
  • Recycle any secrets stored in Secure Notes.
  • Update the credentials you use to authenticate to third party apps for provisioning.
  • Update the admin-configured login credentials for apps that use form-based authentication.
  • Have your end users update their passwords for the form-based authentication apps that they can edit, including personal apps.
  • Replace your RADIUS shared secrets.

If you use OneLogin, you should have received an email from them with a link to an article that contains the above guidance with additional detail. The article unfortunately requires you to sign in using OneLogin to access it. Screenshot here.

OneLogin has also published a brief blog post about the incident without any additional detail.

This story is also being covered by the BBC,  The Register, Motherboard and by Brian Krebs.

Reference: https://www.wordfence.com/blog/2017/06/onelogin-breached/

Image from: onelogin.com

Written by: Mjolnir Security

Tagged as: , , , .

Previous post

Similar posts