Password manager OneLogin suffers data breach

Password manager OneLogin suffers data breach
© Getty Images

OneLogin, an online platform that allows customers to use a single password to access multiple sites and applications, has suffered a data breach. 

The company disclosed the breach on Wednesday, saying that it had detected “unauthorized access” to customer data in the United States the same day. The company is working with law enforcement and a private security firm to investigate the hack, it said in a brief blog post.

“Today we detected unauthorized access to OneLogin data in our US data region,” Alvaro Hoyos, the company’s chief information security officer, wrote


“We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident,” he wrote.

While the initial disclosure offered few details, an email notification sent to customers and obtained by Motherboard states that “customer data was compromised, including the ability to decrypt encrypted data.” 

Later Thursday, the company posted an update on the incident, saying that it could not rule out whether the breach allowed hackers to decrypt customer data.

"The threat actor was able to access database tables that contain information about users, apps, and various types of keys," Hoyos said in the update. "While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data."

He said that the "threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S."

The San Francisco-based operation provides customers with single sign-on and identity management services for cloud-based applications. Among its features, OneLogin lets users manage log-ins to sites and apps through a single portal. 

The company has offered little information on the breach’s impact, but said that it has notified impacted customers and offered them “specific recommended remediation steps” to protect themselves. 

The company, which was founded in 2010, boasts over 2,000 business customers in 44 countries worldwide.

This post has been updated to reflect the latest statement from OneLogin.