We recently confirmed that an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics. Here is what we can share about the incident:
- OneLogin has a feature called Secure Notes, which end users can use to store information. These notes are stored in our system using multiple levels of AES-256 encryption.
- A bug caused these notes to be visible in our logging system prior to being encrypted and stored in our database.
- We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for that system.
- We have no evidence that any other OneLogin system or user account was compromised.
- Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25, 2016.
- Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk.
- This has impacted a small subset of our customers, who we are working with directly on this issue.
Here are the actions we have taken so far:
- The cleartext logging bug was fixed on the same day we detected it.
- Access to the log management system has been locked down to only SAML-based authentication and only from a limited set of IP addresses.
- All passwords have been reset in all external systems that don’t support SAML or allow alternate forms-based authentication.
- Once we verified the initial scope of the incident, we began notifying the impacted customers on August 29, 2016 and will continue to update them as our investigation continues.
We take this matter very seriously and have retained an independent cybersecurity firm to assist in analyzing the issue fully and make sure no stone is left unturned. We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of this incident.
For more information on our security practices and policies, see https://onelogin.com/compliance. If you have any questions, feel free to reach out to your Customer Success Manager at OneLogin or email us directly at firstname.lastname@example.org and we will address your inquiry immediately.
Again, our most sincere apologies. We are making every effort to prevent any similar occurrence in the future.
Chief Information Security Officer