Friday, June 2, 2017
As we communicated yesterday, we recently detected that a malicious actor had obtained access to our US operating region. Although our review is ongoing and the facts subject to change, we wanted to provide you with an update about the facts we know thus far.
Method of attack
Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.
The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.
OneLogin’s investigation is ongoing, and is aided by independent third-party security experts, as well as law enforcement. We will update this when there is more information we can share, as appropriate. We thank you again for your continued support.
Image credit: ZDnet.com