The password management firm OneLogin reported an unauthorized person gained access to its U.S. data base possibly compromising all the stored records and bringing to the forefront the fact that such login credential repositories are prime targets for hackers.
Cybersecurity executives generally lauded the use of password management systems, but at the same time noted the potential cost if the basket holding all the eggs is breached.
“Password managers are a great enhancement to password security generally but it becomes a single point-of-compromise. From initial reports, it seems that OneLogin had measures in place to quickly detect and respond to a breach and time will tell what exactly the impact was,” John Bambenek, Fidelis Security’s threat systems manager, told SC Media.
With that said Ken Spinner, Varonis Systems vice president of field engineering, reiterated to SC Media the danger involved.
“Password managers are a high-value target for attackers for obvious reasons, and breaches of password vault companies aren’t unprecedented: LastPass suffered a breach that exposed master password hashes back in July of 2015,” he said.
LastPass suffered two security situations, the first time in July 2016 when it patched a message-hijacking vulnerability. The company was then hit twice in a two week period in late March 2017 when critical vulnerabilities were found.
OneLogin’s CISO Alvaro Hoyos wrote in a blog that the intrusion was detected on May 31 and the company has since blocked access, reported the breach to law enforcement and is contacting those affected. At this stage OneLogin does not know the total extent of the damage done, he said. The company is in the process of putting together a more detailed report that should be out on June 1, a company spokesperson told SC Media.
The UK’s The Register discovered the company revealed additional and more troubling information on a registration required web help page only available to OneLogin Customers. Here, The Register wrote, customers are told that all those served by the U.S. data center are affected and data was compromised, including the ability to decrypt encrypted data.
Eleven recommendations are made to customers to help protect themselves, including resetting their OneLogin password, generating new API credentials and generate and apply new Desktop SSO tokens.
Once the breach is under control and its customers safe OneLogin will have to tackle the huge issue of repairing its reputation. Bambenek said password management firms have to be protected like the Tower of London because the literally hold the keys to the customer’s kingdom.
Spinner added that only time will tell how badly OneLogin’s business will be affected.
“In the password manager space, reputation is critical. It’s too soon to tell whether this incident will cause a significant number of OneLogin customers to look for alternatives, but how they handle the breach–in terms of transparency and customer support–will likely play a big role,” he said.
LastPass did not suffer any long-term financial impact. It’s stock price did dip slightly in May 2016, but has since steadily climbed to new highs.