Dive Brief:
- Password manager OneLogin suffered a breach in its U.S. data region, according to a blog written by OneLogin CISO Alvaro Hoyos. OneLogin is a cloud-based service that allows users to manage logins to multiple sites and apps from a single platform. A message sent from OneLogin to its customers said "customer data was compromised, including the ability to decrypt encrypted data."
- The company has blocked the unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident, Hoyos said. OneLogin has also reached out to impacted customers with recommended remediation steps.
- OneLogin serves about 2,000 companies in 44 countries, more than 300 app vendors and more than 70 Software as a Service providers. The company has not said how many customers were affected by the breach.
Dive Insight:
Services like OneLogin can make it easier for companies and individual users to manage multiple logins and passwords. But there’s also something to be said for putting all of your eggs in one security basket. When a breach like this occurs, hackers potentially hold the keys to the kingdom.
OneLogin hasn’t revealed anything about how the breach occurred, or whether hackers made off with just customer data or actually passwords. It did, however, say that the breach "included the ability to decrypt encrypted data," which is a very bad sign for OneLogin customers.
Given that the whole point of OneLogin is to improve security, the breach will not be good for the company’s reputation. Even worse, this is the second data breach that OneLogin has suffered within the past year.