One such service, OneLogin, suffered from an attack last week and the repercussions still aren’t fully known. As Motherboard reports, the company provided very vague information in its initial public statement, but was a little more precise in an update and via emails to its customers.
The OneLogin blog post described the breach’s potential impact as follows:
“The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.”
According to copies of emails that some OneLogin customers provided to Motherboard, the steps that customers need to take are rather significant. They range from generating new API keys and Oauth tokens, creating new security credentials and certificates, recycling the OneLogin Secure Notes secrets feature, and updating passwords.
OneLogin successfully blocked the illicit access and reported the incident to law enforcement, and it has engaged an independent security company to find out what happened and the extent of the damage. In the meantime, OneLogin’s customers should follow the company’s recommendations and then hope that their specific information wasn’t compromised.
Securing the data that we control ourselves, on our own PCs and devices, is hard enough. Seeing our data compromised when another organization fails to keep its systems secure is frustrating, to say the least. It does, however, serve as a reminder that we should always keep our eyes out for anything suspicious when it comes to our credit and other information — whether or not we know about any specific breaches.
