The 1980 Queen hit ‘Another One Bites the Dust’ was an anthem for the 80s generation. But it also happens to describe security systems nearly 40 years later. After the massive ransomware attack last week (‘WannaCry’), and Android iOS breach (‘Judy’), another critical breach has been reported by the access management service (AMS) OneLogin.
OneLogin is a major player in the AMS service field. They provide password management for enterprise level clientele. The service is helpful for this client base because it provides a single sign on (SSO) cloud solution for ease and greater levels of security. Their client list is impressive – AAA, Yelp, and Dell, to name a few. Their open source tool kits are being used by more than three hundred venders and seventy software-as-a-service (SaaS) vendors worldwide.
With all this corporate access information, no wonder OneLogin is a target for high-level hacking. Yesterday the company announced that a major malicious attack had occurred on their US operations. The attacker was able to access the AWS API and create a number of instances within the infrastructure. The hacker had seven hours of uninterrupted access.
The company is still determining the extent of the breach, but in their announcement did indicate that some very major events had happened. It appears that the attacker was able to access information about the company’s users including various types of keys, and, far more concerning, was able to decrypt data that was at rest within the archives. This means that the actor was able to find access to the highest level of security, and that OneLogin had apparently left a gaping hole in their system, allowing for a breach of end to end encryption. This sort of breach indicates a substantial concern within the OneLogin system that will raise attention at the highest levels.
The company has provided a guide for securing data that has been breached, which, no doubt, was the task of a substantial part of the corporate IT world this morning. However, the guide simply provides 11 steps to recreating security for breached data, but this does not mean that the hacker, with seven hours of access, has not already obtained and decrypted whatever data was present. At the enterprise level, this is the equivalent of breaking into the CEO’s office and rifling through his desk and personal files for 7 hours. It’s not good.
This is not the first attack on OneLogin. A previous hack had compromised a substantial amount of data, but encryption was never broken. This current attack has led some in the security world to question how to best secure high level corporate data, given the increasing level of hacker ability. Companies would be wise to be researching different methodologies (both in house and third party), and identifying deeper levels of security risk than the home page of the company offers. OneLogin is a high level security system, and such a hack should make other IT professionals question where safety is even possible at this point. As the Queen ballad reminds us, no one is safe.