We’re big fans of password managers here at MakeUseOf. They make your life easier, speed up a lot of processes, and improve your security. But they also concentrate your sensitive password information in a single place — and that can be dangerous.
Case in point: OneLogin, the producer of an enterprise-level single sign-on and password management app, was hacked on May 31st, 2017. And that’s really bad news. Here’s what happened, what you should do, and some lessons we can learn.
What Happened at OneLogin?
Here’s what OneLogin says:
“…a threat actor used one of our AWS keys to gain access to our AWS platform via API from an intermediate host with another, smaller service provider in the US…”
What does that mean? It means that someone was looking through OneLogin’s sensitive data. And while much of that data is encrypted, OneLogin believes that the attackers were able to decrypt at least some of the data.
As soon as OneLogin techs detected the intrusion, they shut down the systems that were infiltrated. Unfortunately, it’s been reported that they didn’t detect the intrusion until seven hours after it started. That’s a long time to be poking through sensitive data.
What sort of data might the attackers have had access to?
“The threat actor was able to access database tables that contain information about users, apps, and various types of keys.”
While it’s unclear exactly what the scope of that list is, it’s definitely a lot of sensitive stuff.
To their credit, OneLogin has been very forthright about this incident. They’ve kept an updated blog post on their site, communicated with customers about the attack, and provided advice on what to do. There’s no indication so far that the company has obfuscated what happened. (Though they may have downplayed the seriousness of the attack somewhat.)
What You Should Do If You Use OneLogin
OneLogin quickly released a guide to help users mitigate any effects of the attack (The Register also posted this list for non-customers). The list includes password resets, new authentication tokens, getting rid of secure notes, and a number of other technical, administrator-level suggestions.
If you’re a user of OneLogin though, the obvious course of action is much simpler: change your passwords and update your authentication tokens. It’s going to take a while, but it’s worth doing, because there’s a very good chance that someone has access to everything you stored in your account. Change your master password, change the passwords to your apps, change everything that you stored in OneLogin.
And trash your secure notes.
Yes, it’s going to suck. But it’s going to suck a lot less than having one of your important services taken over by an attacker (or, possibly worse, held for ransom).
What We Can Learn From the OneLogin Hack
The first, and most worrying, lesson is clear: single sign-on (SSO) and password management companies are not immune to security threats. These companies know that security is a big deal to their customers, and that they hold a huge amount of valuable information.
But bad things happen. In this case, the API keys that gave the attackers access to OneLogin originated “from an intermediate host with another, smaller service provider in the U.S.” Despite OneLogin’s dedication to security, another company’s shortcomings may have let the attackers in.
Unfortunately, no company is hack-proof. Password management and SSO companies take security very seriously, and generally do a good job of it. But this was bound to happen.
Going forward, what can you do? Here are a few things to keep in mind when using these types of services.
Storing Everything in One Place Is a Bad Idea
Obviously you’re going to keep your passwords in your password management app. But should it be the repository for all of your sensitive information? Maybe not.
It’s easy to use LastPass’s secure notes, for example, to keep your bank account information or your home Wi-Fi password. But if that service gets hacked, you’re now looking at even more problems. You might have your credit card information stored already. Yet if you add a few more key pieces of information, identity theft becomes much easier.
Consider using another encrypted service that doesn’t store information in the cloud, like SplashID, or just encrypt and password protect a folder on your computer. It’s slightly less convenient, but it could significantly reduce the amount of difficulty in the case of a breach.
Think Twice About Single Sign-On
SSO is great because it saves a ton of time and keeps your passwords to a minimum. OpenID, signing in with social network credentials, and other similar methods are quite popular. (To be completely honest, I use these myself.)
The more secure option is to simply open an account with your email address for every site. If you’re using a password manager, this is easy. Not quite as easy as OAuth or a similar one-click sign-on, but it’s definitely more secure.
To be fair, some people do encourage the use of single sign-on as a security practice. Weigh your options.
Use Two-Factor Authentication on Important Services
Which services should you use two-factor authentication for? In short, as many as you can. Your most important services, like email, banking, and cloud storage, should definitely be protected by it. Anything else is a bonus. Do it now.
OneLogin users learned a hard lesson: no service is 100 percent secure. This was a particularly harsh way to learn this lesson, but in the long run, it may be for the best. If you’re a OneLogin user, you should get busy picking up the pieces. If you’re not, consider yourself lucky, and take steps to make sure it doesn’t happen to you.
Were you affected by the OneLogin hack? Does it make you think twice about password managers or single sign-on apps? Share your thoughts in the comments below!