A FIRM CALLED ONELOGIN, that promises to offer solid security and identity management to businesses, has reached out to some customers to let them know that it is as vulnerable as everyone else and has been breached.
Everyone gets breached, but you expect firms that are in the security game to be above such threats. Not anymore. OneLogin has posted a note on its website, which is a good thing, in which it explains that it is shocked and that it has called in the police already.
"Today we detected unauthorised access to OneLogin data in our US data region. We have since blocked this unauthorised access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorised access happened and verify the extent of the impact of this incident," said the firm in a message that is becoming all too familiar sounding to us.
"We want our customers to know that the trust they have placed in us is paramount."
We are not customers, but we do think that some of that trust may be waning. This is probably unfortunate for the company, because presumably normally things all run OK, and users do not get breached and do not get contacted with advice about what they hell they ought to be doing about it.
"While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented," added Alvaro Hoyos, chief information security officer at the firm.
The email adds a little more flavour to the incident, upgrading the unauthorised access warning a bit and suggesting that this is a bigger problem than Bond would have us believe.
"We detected unauthorised access to OneLogin data in our US operating region. At this time, OneLogin believes that all customers served by our US data centre are affected and customer data was potentially compromised," it says.
It appears SSO provider @OneLogin just had a huge data breach. Plaintext passwords (by design).— Ian Chan (@chanian) June 1, 2017
Best of luck to IT teams out there tonight.
Twitter is full of sympathy for the firm, as you can imagine, and it is being flamed for things including the storing, and loss of plaintext passwords.OneLogin passwords resets are highly recommended. µ
It's the week in Google news
Erik Estrada wouldn't have stood for this
Hacks in support of WikiLeaks founder target gov websites