The OneLogin Hack Was Serious and It Taught Us a Lesson

Dann Albright 15-06-2017

We’re big fans of password managers How Password Managers Keep Your Passwords Safe Passwords that are hard to crack are also hard to remember. Want to be safe? You need a password manager. Here's how they work and how they keep you safe. Read More here at MakeUseOf. They make your life easier, speed up a lot of processes, and improve your security. But they also concentrate your sensitive password information in a single place — and that can be dangerous.


Case in point: OneLogin, the producer of an enterprise-level single sign-on and password management app, was hacked on May 31st, 2017. And that’s really bad news. Here’s what happened, what you should do, and some lessons we can learn.

What Happened at OneLogin?

Here’s what OneLogin says:

“…a threat actor used one of our AWS keys to gain access to our AWS platform via API from an intermediate host with another, smaller service provider in the US…”

What does that mean? It means that someone was looking through OneLogin’s sensitive data. And while much of that data is encrypted, OneLogin believes that the attackers were able to decrypt at least some of the data.

As soon as OneLogin techs detected the intrusion, they shut down the systems that were infiltrated. Unfortunately, it’s been reported that they didn’t detect the intrusion until seven hours after it started. That’s a long time to be poking through sensitive data.

What sort of data might the attackers have had access to?


“The threat actor was able to access database tables that contain information about users, apps, and various types of keys.”

While it’s unclear exactly what the scope of that list is, it’s definitely a lot of sensitive stuff.

To their credit, OneLogin has been very forthright about this incident. They’ve kept an updated blog post on their site, communicated with customers about the attack, and provided advice on what to do. There’s no indication so far that the company has obfuscated what happened. (Though they may have downplayed the seriousness of the attack somewhat.)

What You Should Do If You Use OneLogin

OneLogin quickly released a guide to help users mitigate any effects of the attack (The Register also posted this list for non-customers). The list includes password resets, new authentication tokens, getting rid of secure notes, and a number of other technical, administrator-level suggestions.

onelogin hack


If you’re a user of OneLogin though, the obvious course of action is much simpler: change your passwords and update your authentication tokens. It’s going to take a while, but it’s worth doing, because there’s a very good chance that someone has access to everything you stored in your account. Change your master password, change the passwords to your apps, change everything that you stored in OneLogin.

And trash your secure notes.

Yes, it’s going to suck. But it’s going to suck a lot less than having one of your important services taken over by an attacker (or, possibly worse, held for ransom).

What We Can Learn From the OneLogin Hack

The first, and most worrying, lesson is clear: single sign-on (SSO) and password management companies are not immune to security threats. These companies know that security is a big deal to their customers, and that they hold a huge amount of valuable information.


But bad things happen. In this case, the API keys that gave the attackers access to OneLogin originated “from an intermediate host with another, smaller service provider in the U.S.” Despite OneLogin’s dedication to security, another company’s shortcomings may have let the attackers in.

Unfortunately, no company is hack-proof. Password management and SSO companies take security very seriously, and generally do a good job of it. But this was bound to happen.

Going forward, what can you do? Here are a few things to keep in mind when using these types of services.

Storing Everything in One Place Is a Bad Idea

Obviously you’re going to keep your passwords in your password management app. But should it be the repository for all of your sensitive information? Maybe not.


It’s easy to use LastPass’s secure notes, for example, to keep your bank account information or your home Wi-Fi password. But if that service gets hacked, you’re now looking at even more problems. You might have your credit card information stored already. Yet if you add a few more key pieces of information 10 Pieces of Information That Are Used to Steal Your Identity Identity theft can be costly. Here are the 10 pieces of information you need to protect so your identity isn't stolen. Read More , identity theft becomes much easier.

Consider using another encrypted service that doesn’t store information in the cloud, like SplashID, or just encrypt and password protect a folder on your computer How to Password Protect a Folder in Windows Need to keep a Windows folder private? Here are a few methods you can use to password protect your files on a Windows 10 PC. Read More . It’s slightly less convenient, but it could significantly reduce the amount of difficulty in the case of a breach.

Think Twice About Single Sign-On

SSO is great because it saves a ton of time and keeps your passwords to a minimum. OpenID, signing in with social network credentials Using Social Login? Take These Steps to Secure Your Accounts If you're using a social login service (such as Google or Facebook) then you might think everything is secure. Not so -- it's time to take a look at the weaknesses of social logins. Read More , and other similar methods are quite popular. (To be completely honest, I use these myself.)

single sign-on google

The more secure option is to simply open an account with your email address for every site. If you’re using a password manager, this is easy. Not quite as easy as OAuth or a similar one-click sign-on, but it’s definitely more secure How Millions of Apps Are Vulnerable to a Single Security Hack OAuth is an open standard used to allow you to login to a third-party app or website by using a Facebook, Twitter, or Google account -- and it's vulnerable to hackers. Read More .

To be fair, some people do encourage the use of single sign-on as a security practice. Weigh your options.

Use Two-Factor Authentication on Important Services

We’ve talked about two-factor authentication countless times, but if you’re not familiar with it, read all about it What Is Two-Factor Authentication, And Why You Should Use It Two-factor authentication (2FA) is a security method that requires two different ways of proving your identity. It is commonly used in everyday life. For example paying with a credit card not only requires the card,... Read More and learn which services can use it Lock Down These Services Now With Two-Factor Authentication Two-factor authentication is the smart way to protect your online accounts. Let's take a look at few of the services you can lock-down with better security. Read More . Then turn it on.

Which services should you use two-factor authentication for? In short, as many as you can. Your most important services, like email, banking, and cloud storage, should definitely be protected by it. Anything else is a bonus. Do it now.

Stay Sharp

OneLogin users learned a hard lesson: no service is 100 percent secure. This was a particularly harsh way to learn this lesson, but in the long run, it may be for the best. If you’re a OneLogin user, you should get busy picking up the pieces. If you’re not, consider yourself lucky, and take steps to make sure it doesn’t happen to you.

Were you affected by the OneLogin hack? Does it make you think twice about password managers or single sign-on apps? Share your thoughts in the comments below!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. J.C.
    June 28, 2017 at 8:48 pm

    I disagree that you can't use one password manager to handle the vast majority of credentials, as (for me at least) it's impossible to remember 200+ strong pwords and user ID's. I also agree with 'Eddie G's' comment about using all these home 'smart devices'. This is just asking to be hacked, as still to this day a lot people don't change default pwords on these 'smart devices' ( monitors), routers, PC's, and or use the same or simple pwords for multiple devices & websites. When you start hooking so many devices to your home network, they're only secure as your weakest device.
    Let's say a refrigerator for example is connected to your network.The manufacturer probably hasn't put in much time into it's security, but rather the device itself and the convenience factor. Which probably has security holes in its firmware, and when it is patched and updated, most consumers won't update it for a multitude of reasons. I'll take so called 'inconvenience' and manual controls anyday, before I expose it and my network to the Internet full of hackers and illegal spying.

    I use 'Keeper' to handle my multitude of passwords and have been very happy with their product for over 10 years. You have to do you due diligence when choosing a pword manager. 'Keeper' keeps a clean simple interface, and focuses much more of their effort on security.Some of the main reasons I've stuck with Keeper and advocate it to family and friends are it's dedication to security.Some of the main security features:

    The Private Master Password ONLY- The user only has knowledge of and access to their Master Password and key that is used to encrypt and decrypt their information. (better)
    Deep-Level Encryption - The user data is encrypted and decrypted at the device level, not on Keepers servers or in the cloud. (better)
    Strongest Encryption - Keeper protects my information with AES 256-bit encryption and PBKDF2, widely accepted as the strongest encryption available.
    Multi-Factor Authentication - Keeper supports multi-factor authentication, biometric login and Keeper DNA which uses personal devices like your smartwatch or mobile phone to confirm my identity.

    Not to mention they've been in business for over a decade and never been hacked. They also have a 3rd party audit done (which they pay for) to identify any vulnerabilities, and to measure their security measures.
    These days, the vast majority of people cannot remember 100+ high strength passwords and need to rely on a pword manager. I don't put 'everything' in Keeper, like PINS and some other data that I can easily remember, as I agree with the author in part that you shouldn't put 'ALL' your eggs in one basket, but you can surely put in a lot if you use a proven and very secure pword manager like Keeper.

  2. Eddie G.
    June 28, 2017 at 6:36 am

    Don't care how convenient it makes it....anyone who uses these kinds of services is just asking for more trouble and frustration in their lives. I guess this is the new "norm"....there are homes that are "smart"......where every appliance in the place is connected to the Internet...WHY!?....why do you need a microwave that's connected to your WIFi?.....what ("bleep"ing) sense does that even MAKE!? This is why companies like this...and LifeLock et al exist. To all of a sudden protect something you should be protecting yourself? I guess when you read about the news report about a family being terrorized because some cyber-criminal finally hacked their so-called "un-hackable" keyless front door?....or when you hear on the news about the person who dies and who killed three others as their "IoT" connected vehicle was hijacked and they lost control.....maybe then they'll stop this kind of foolishness?...I dunno.....all I know is that the passwords I use?....exist in my HEAD....and while I'm getting up there in age?....I'm not so feeble-minded that I can't remember 'em. Don't want a smart ANYTHING in my house....(its getting harder to find TV's that are JUST TV's and nothing more!) And you'd better believe that when they have passed laws outlawing human operated vehicles?...I'll be walking / biking everywhere I need to go. Sad to see mankind becoming so "lazy" dependent on someone ELSE to do what THEY should do!...

  3. ReadandShare
    June 19, 2017 at 4:52 pm

    LastPass claims it cannot decrypt your files alone. So that means if LP is hacked, user data will remain safe??

    • ReadandShare
      June 19, 2017 at 4:54 pm

      Brute force attacks notwithstanding...

    • rc primak
      July 14, 2017 at 4:49 am

      They were hacked, and user data was exposed. End of story. Nothing in the Cloud or in your browser is safe.