Sensitive user information repository in OneLogin penetrated, company admits

Canadian organizations that use cloud identity and access manager OneLogin are among those being warned that an intruder may have got access for at least a month this summer to its Secure Notes capability, where users are supposed to be able to safely store sensitive information.

Instead, because of a bug in its system, anything saved in Secure Notes could be seen for weeks by an intruder before being encrypted. The discovery of the bug led to the realization that the store had been penetrated.

Exactly how long isn’t clear. The San Francisco-based company’s CISO Alvaro Hoyos said Tuesday in a statement that “an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics” by compromising a staffer’s password.

Evidence of the intruder dates back as early as July 2. Based on activity in the log management system, the company says, the intruder was able to at the very least view notes that were updated between July 25 and Aug. 25.

As a result it is advising customers to assume notes updated as far back as June 2 are at risk.

“This has impacted a small subset of our customers,” the company says, “who we are working with directly on this issue.”

The cleartext bug has been fixed, it adds. Hoyos said there is no evidence that any other OneLogin system or user account was compromised.

As its name implies, OneLogin is a single sign-on service that takes the burden off administrators by syncing with multiple directories and applications. To Canadian customers it offers Active Directory integration with, Office365, job site Monster Canada, IT products distributor Synnex Canada and Expedia’s business travel site among thousands of business applications. These include Salesforce, Zendesk, HootSuite, Box, Google Analytics, WordPress and more.

Like competitors – sometimes called cloud access security brokers (CASBs), including Okta, Ping Identity, Centrify, Symplified, SecureAuth – OneLogin says it helps CISOs enforce security policies across approved applications and helps eliminate shadow IT.

Launched in 2010, the company says it has 1,400 enterprise customers in 44 countries.

Hoyos said access to OneLogin’s the log management system has been locked down to only SAML-based authentication and only from a limited set of IP addresses.

In addition all passwords have been reset in all external systems that don’t support SAML or allow alternate forms-based authentication.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now