We recently confirmed that an unauthorized user gained access to one of our standalone systems, which we use for log storage and analytics. Here is what we can share about theincident:
OneLogin has a feature called Secure Notes, which end users can use to store information. These notes are stored in our system using multiple levels of AES-256encryption. A bug caused these notes to be visible in our logging system prior to being encrypted and stored in ourdatabase. We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for thatsystem. We have no evidence that any other OneLogin system or user account wascompromised. Based on the activity in the log management system, we can see that the intruder was able to view, at a minimum, notes that were updated during the period of July 25, 2016 to August 25,2016. Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also atrisk. This has impacted a small subset of our customers, who we are working with directly on thisissue.Here are the actions we have taken sofar:
The cleartext logging bug was fixed on the same day we detectedit. Access to the log management system has been locked down to only SAML-based authentication and only from a limited set of IPaddresses. All passwords have been reset in all external systems that don’t support SAML or allow alternate forms-basedauthentication. Once we verified the initial scope of the incident, we began notifying the impacted customers on August 29, 2016 and will continue to update them as our investigationcontinues.We take this matter very seriously and have retained an independent cybersecurity firm to assist in analyzing the issue fully and make sure no stone is left unturned. We have already done an initial round of communications to impacted customers with specific Secure Notes that are at risk and we will follow up with any other customers who may be impacted as a result of thisincident.
For more information on our security practices and policies, see https://onelogin.com/compliance . If you have any questions, feel free to reach out to your Customer Success Manager at OneLogin or email us directly atsupport@onelogin.com and we will address your inquiryimmediately.
Again, our most sincere apologies. We are making every effort to prevent any similar occurrence in thefuture.
AlvaroHoyos,
Chief Information SecurityOfficer