Cleartext Credential Notepads Exposed In OneLogin Breach

A recent security breach on OneLogin’s Secure Notes service could have allowed hackers to read cleartext notes containing authentication credentials, admin passwords, and even software keys stored by its customers.

With more than 12 million customers relying on OneLogin for managing credentials, the company stated that only notes edited between June 2nd and August 25th seem to have been affected. The vulnerability involved exploitation of a bug that allowed user notes to be visible in cleartext before being encrypted by several layers of AES-256.

“Due to the presence of the intruder as early as July 2, 2016, we are advising customers that notes updated during period of June 2, 2016 to July 24, 2016, are also at risk,” reads the statement by Chief Information Security Officer Alvaro Hoyos. “This has impacted a small subset of our customers, who we are working with directly on this issue.”

While the vulnerability was patched the same day, the company also mentioned that access to internal systems was achieved by obtaining an employee’s credentials. The company has already started collaborating with an external security company in investigating the issue and has begun working with the “small subset” of affected users on fixing the issue.

“Access to the log management system has been locked down to only SAML-based authentication and only from a limited set of IP addresses,” said OneBreach. “All passwords have been reset in all external systems that don’t support SAML or allow alternate forms-based authentication.”

The company has underlined that it will keep its customers updated with their findings and that everyone affected is encouraged to take steps towards minimizing potential risks.

Leave a Reply