The company, which has millions of users, said that hackers have ‘the ability to decrypt encrypted data.’ Password manager and single sign-on provider OneLogin has been hacked, the company has confirmed. In a brief blog post, the company’s chief security officer Alvaro Hoyos said that it had “detected unauthorized access to OneLogin data in our US data region,” and that it had reached out to customers.

Zack Whittaker

Password manager OneLogin hacked, exposing sensitive customer data

 The blog post had no further information or technical details about the incident — though, the post omitted that hackers had stolen sensitive customer data, which was only cursorily mentioned in an email to customers, seen by ZDNet.

“OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised,” the email read.

Hackers have “the ability to decrypt encrypted data,” says a support page, accessible only to OneLogin customers (a copy of the post was published online).

The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens — used for logging into accounts — as well as to create new security certificates. The company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.

But questions remain over how the hackers had access to data that could be decrypted in the first place.

“Am I the only 1 to find it disturbing OneLogin had a decryption method for customer data accessible enough to be grabbed via breach?” said one user on Twitter.

The company also hasn’t said how many customers were affected. Hoyos said that the company had blocked the unauthorized access after the breach and is working with law enforcement.

OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It’s thought that the company has millions of users serving more than 2,000 companies in dozens of countries, according to CrunchBase.

The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft’s Office 365, LinkedIn, Slack, Twitter, and Google services.

It’s the second such breach in as many years. Last August, the company warned users that its Secure Notes service had been accessed by an “unauthorized user,” but denied that any customer data had been compromised.

OneLogin didn’t immediately respond to questions.

Password manager OneLogin hacked, exposing sensitive customer data

The company, which has millions of users, said that hackers have ‘the ability to decrypt encrypted data.’ Password manager and single sign-on provider OneLogin has been hacked, the company has confirmed. In a brief blog post, the company’s chief security officer Alvaro Hoyos said that it had “detected unauthorized access to OneLogin data in our US data region,” and that it had reached out to customers.

Zack Whittaker

 The blog post had no further information or technical details about the incident — though, the post omitted that hackers had stolen sensitive customer data, which was only cursorily mentioned in an email to customers, seen by ZDNet.

“OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised,” the email read.

Hackers have “the ability to decrypt encrypted data,” says a support page, accessible only to OneLogin customers (a copy of the post was published online).

The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens — used for logging into accounts — as well as to create new security certificates. The company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted.

But questions remain over how the hackers had access to data that could be decrypted in the first place.

“Am I the only 1 to find it disturbing OneLogin had a decryption method for customer data accessible enough to be grabbed via breach?” said one user on Twitter.

The company also hasn’t said how many customers were affected. Hoyos said that the company had blocked the unauthorized access after the breach and is working with law enforcement.

OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It’s thought that the company has millions of users serving more than 2,000 companies in dozens of countries, according to CrunchBase.

The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft’s Office 365, LinkedIn, Slack, Twitter, and Google services.

It’s the second such breach in as many years. Last August, the company warned users that its Secure Notes service had been accessed by an “unauthorized user,” but denied that any customer data had been compromised.

OneLogin didn’t immediately respond to questions.

Log in with your credentials

Forgot your details?