Canadian organizations that use cloud identity and access manager OneLogin are among those being warned that an intruder may have got access for at least a month this summer to its Secure Notes capability, where users are supposed to be able to safely store sensitive information.
Instead, because of a bug in its system, anything saved in Secure Notes could be seen for weeks by an intruder before being encrypted. The discovery of the bug led to the realization that the store had been penetrated.
Exactly how long isn’t clear. The San Francisco-based company’s CISO Alvaro Hoyos said Tuesday in a statement that “an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics” by compromising a staffer’s password.
Evidence of the intruder dates back as early as July 2. Based on activity in the log management system, the company says, the intruder was able to at the very least view notes that were updated between July 25 and Aug. 25.
As a result it is advising customers to assume notes updated as far back as June 2 are at risk.
“This has impacted a small subset of our customers,” the company says, “who we are working with directly on this issue.”
The cleartext bug has been fixed, it adds. Hoyos said there is no evidence that any other OneLogin system or user account was compromised.
As its name implies, OneLogin is a single sign-on service that takes the burden off administrators by syncing with multiple directories and applications. To Canadian customers it offers Active Directory integration with Amazon.ca, Office365, job site Monster Canada, IT products distributor Synnex Canada and Expedia’s business travel site Egencia.ca among thousands of business applications. These include Salesforce, Zendesk, HootSuite, Box, Google Analytics, WordPress and more.
Like competitors – sometimes called cloud access security brokers (CASBs), including Okta, Ping Identity, Centrify, Symplified, SecureAuth – OneLogin says it helps CISOs enforce security policies across approved applications and helps eliminate shadow IT.
Launched in 2010, the company says it has 1,400 enterprise customers in 44 countries.
Hoyos said access to OneLogin’s the log management system has been locked down to only SAML-based authentication and only from a limited set of IP addresses.
In addition all passwords have been reset in all external systems that don’t support SAML or allow alternate forms-based authentication.