OneLogin is a password manager and single sign on (SSO) provider with millions of customers in dozens of countries. The company offers password and authentication services that allow corporate users to store all their password and sensitive data in the cloud and access that information using a single password.
Password managers and SSO can be highly convenient and offer increased security by allowing users to store different and stronger passwords for many services that require authentication, only having to remember one password to access them all. This arrangement relies absolutely on the company storing all the passwords having the strictest security. Millions of passwords stored by one company is, of course, a highly tempting target for hackers.
OneLogin announced on May 31, 2017 its US data center had been breached by unknown parties and encrypted and unencrypted customer data was stolen. If sensitive information falls into the wrong hands, provided it is encrypted, it remains unusable. Worryingly, OneLogin reported the hackers may also have obtained a means to decrypt encrypted data.
The net result of this incident is the potential exposure of millions of customers and the myriad of online services protected by the credentials that have been stolen.
Is Your OneLogin Data at Risk?
This is uncertain as the full extent of the breach and the number of affected customers has not been detailed. OneLogin has stated that some of its customer data was stolen from one data center. The company has since closed the breach to prevent further exploits and has hired an outside security specialist to fully investigate how the exploit was conducted.
We have implemented several improvements to strengthen our infrastructure to help mitigate the risk of future intrusion.
Whether your account has been compromised or not, you should still take all recommended steps to secure your data. OneLogin recommends you change your passwords (yes, all of them, for every service you have stored) and, if you use these features, generate new API keys for all services, create new OAuth tokens and create new security certificates.
OneLogin also stated information stored in its Secure Notes feature can be decrypted, so you may want to review policies related to using the feature to store sensitive information.
OneLogin Instructions to Secure Your Account
OneLogin has issued detailed and somewhat complex instructions that all customers should follow immediately in order to secure their accounts.
On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to possibly decrypt some encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions:
If you replicate your directory password to provisioned applications (using the SSO Password feature) or if your users authentication method is OneLogin as a directory, force a OneLogin directory password reset for your users.
You don’t need to reset directory passwords if you don’t use the SSO Password feature or if your users authenticate using Active Directory!
See Password Management.
Generate new certificates for your apps that use SAML SSO.
Generate new API credentials and OAuth tokens.
- For legacy API keys, see developers.onelogin.com/api-docs/v1-v3/getting-started/using-the-onelogin-api
- For current API keys, see developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials
- For OAuth tokens, see developers.onelogin.com/api-docs/1/oauth20-tokens/refresh-tokens
Generate and apply new directory tokens for Active Directory Connectors and LDAP Directory Connectors.
For Active Directory Connectors:
- Create a new failover Active Directory Connector instance, following steps 1- 5a in “Adding additional ADC instances for load balancing and failover.”
- Copy the installation token for the new failover over the existing primary Active Directory Connector token on the server where the Active Directory Connector instance runs, replacing the contents of the Windows Registry key at
HKEY_Local_Machine\SOFTWARE\Wow6432Node\OneLogin, Inc.\Active Directory Connector\DirectoryToken
- Restart the Active Directory Connector.
- Switch the new failover Active Directory Connector instance to be the primary (sync) connector, following the instructions in “Failing over a synchronization Active Directory Connector instance manually.”
- Delete the old Active Directory Connector instance from OneLogin by following the instructions in “Deleting or disabling your Active Directory Connector instance.”
For LDAP Directory Connectors:
- Create a new failover LDAP Directory Connector instance, following steps 1 – 6 in Installing Multiple LDAP Directory Connectors for High Availability.
- Copy the token from the new instance to the config file for your existing active LDAP Directory Connector by editing the file
conf/ldc.confand updating the configuration property
ldc.api.token. (See steps 9 and 10 in “Installing an LDAP Directory Connector“)
- Restart the LDAP Directory Connector.
- Switch the new failover LDAP Directory Connector instance to be the active connector, following the instructions in “Switching a standby connector to active.”
- Remove the old LDAP Directory Connector instance from OneLogin by clicking Delete on the Basic tab of the LDAP Directory Connector configuration page (Go to Users > Directories, select the directory, go to the Basic tab, and select the instance to delete).
Update the API or OAuth credentials you use to authenticate to third-party directories like G Suite (Google), Workday, Namely, and UltiPro.
For details, see:
Generate and apply new Desktop SSO tokens.
- If you use Active Directory Connectors for Desktop SSO, you should generate and apply new directory tokens, as described above.
- If you use a remote authentication script running in IIS (rather than Active Directory Connectors), go to Settings > Desktop SSO, scroll down to Redirect URLs, select Fixed URL, click Generate new token, and copy the new token to your remote authentication script. For more details, see Configuring Desktop SSO Using a Remote Authentication Script in IIS.
Recycle any secrets stored in Secure Notes.
See Secure Notes.
Update the credentials you use to authenticate to 3rd party apps for provisioning.
Some apps use OAuth, others use API keys. For information about the apps you use, view the provisioning doc for those apps in the App Integration section.
Update the admin-configured login credentials for apps that use form-based authentication.
Tip! You can use CSV batch login update to update passwords for form-based authentication. See CSV Batch Login Update.
- Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps.
Replace your RADIUS shared secrets.