Password manager OneLogin hacked, attackers could ‘decrypt encrypted data’

OneLogin has been hacked, according to the cloud-based password manager and identity management company.

The hackers could “decrypt encrypted data,” the company explained on a customer-only support page that was shared publicly.

“Today we detected unauthorized access to OneLogin data in our US data region,” the company’s chief security officer Alvaro Hoyos said in a statement on Wednesday night. “We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident.”

The San Francisco company posted a short blog post and sent an equally concise email to customers including 2,000 companies in 44 countries. OneLogin serves numerous financial, medical, tech and industrial clients.

OneLogin has not yet made clear which of its customers are served by the compromised U.S. data center but is advising all customers to generate new API keys, OAuth tokens, security certificates and passwords. It’s a mammoth task for a customer list that includes Conde Nast, One Medical Group and SoftBank.

Last year, OneLogin suffered a separate breach in which “an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics,” the company said at the time.

“Password managers are a great enhancement to password security generally but it becomes a single point-of-compromise,” John Bambenek, threat systems manager at Fidelis Cybersecurity, said. “From initial reports, it seems that OneLogin had measures in place to quickly detect and respond to a breach and time will tell what exactly the impact was. The importance of password management solutions is that they must be protected as if they hold all the keys of the kingdom … because they do.”

OneLogin has not responded to a request for comment.