OneLogin, an identity management software company, announced yesterday that it suffered a data breach. Although the firm hasn’t provided many details, the few that it has released suggest that the breach is extensive.
Customers were warned about the incident in an email yesterday, and OneLogin also posted a short blog post about the problem. A more detailed support page is accessible to customers only, but an apparent Pastebin copy of the page notes that “customer data was compromised, including the ability to decrypt encrypted data.”
OneLogin specializes in managing logins and access for large enterprises. According to its website, it counts major tech companies like Yelp and Pinterest among its customers.* As of 2013, OneLogin boasted 12 million users across 700 companies, and those numbers have likely grown significantly in the last few years.
It’s not clear from OneLogin’s statements so far what kind of customer data was stolen, but the fact that the company is advising mass password resets suggests that passwords may have been compromised. This means that many companies are going to spend today doing security clean-up. Until more details emerge, it’s also not clear what the breach means for people that use services offered by OneLogin’s customers.
Alvaro Hoyos, OneLogin’s chief information security officer, said in the blog post that the company discovered the breach yesterday, and that its investigation into what happened is ongoing. Hoyos added few details about the investigation:
Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.
This is the second breach OneLogin has suffered recently. In August 2016, Hoyos announced that a hacker had broken into a system used for “log storage and analytics.” The attacker used a OneLogin employee password to access the system, where they were able to view customer’s Secure Notes in plaintext before they were encrypted. Hoyos said that the attacker had access to the system between July 2 and August 25 of that year.
Other password managers have suffered security issues recently—LastPass patched a vulnerability in March that could have allowed data theft. However, the vulnerability was reported by a researcher and there’s no evidence that it was ever exploited.
Gizmodo has reached out to OneLogin for comment on yesterday’s breach, and we’ll update if we hear back.
* Correction: A previous version of this story listed Dropbox as a customer of OneLogin. Although OneLogin lists Dropbox as a customer on its homepage, we’ve been alerted to the fact that Dropbox is an integration partner, not a customer, which means that other users could log in to Dropbox services using OneLogin.