by John Armstrong

AWS Encryption Keys Compromised in OneLogin Data Breach

Cloud-based Single Sign-on Services Exposed as Single Point of Failure

There is always, of course, a slight irony when companies focused on providing security for their customers suffer a data breach. On May 31, OneLogin, a San Francisco-based company that allows users to manage their login credentials to multiple sites and apps through a cloud-based platform, reported a troubling data breach—of which the full extent of damage is still unknown. Providing single sign-on and identity management for about 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers, OneLogin plays a strong role in the corporate world. The clean-up from this breach will likely be a huge headache for thousands of businesses.

Chief Information Security Officer, Alvaro Hoyos, published a blog post that called attention to the breach. The remediation steps suggested in the email provided an indication of how serious this breach may be. Typically, when data breaches occur, companies will tell users to change their passwords and just keep an eye out for any suspicious activity. OneLogin’s suggestions, however, are much more invasive and time-consuming for the affected businesses. The company is telling users to generate new API keys, OAuth tokens, create new security certificates and credentials, recycle any secrets stored in OneLogin’s Secure Notes feature, have end-users update passwords—and more.

On June 1, OneLogin updated its blog with additional details: “Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”

Gartner Inc. financial fraud analyst Avivah Litan said she has long discouraged companies from using cloud-based single sign-on services, arguing that they are the digital equivalent to an organization putting all of its eggs in one basket.

“It’s just such a massive single point of failure,” Litan said. “And this breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”