OneLogin Password Manager Breach Enabled by Stolen AWS Cloud Keys

NEW ANALYSIS: Online password manager service suffers a data breach after an attacker is able to get access to the company's cloud services.

Data breaches

Online password manager service OneLogin reported on May 31 that it was the victim of a data breach that exposed its users and their data to risk.

Initially the company provided few details, other than disclosing the fact that there was an unauthorized access to OneLogin customer data. Late on June 1, the company provided more details, revealing that attackers had infiltrated OneLogin's cloud backend and had unfettered access for seven hours prior to being detected.

OneLogin is using Amazon Web Services (AWS) as its cloud provider and at approximately 2 am PST on May 31, a hacker was somehow able to use OneLogin's AWS credentials. OneLogin's AWS keys were used by the attacker from a smaller, unidentified service provider in the U.S, that was able to create new virtual server instances to get visibility and perform reconnaissance into OneLogin's operations.

"OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it," Alvaro Hoyos,Chief Information Security Officer at OneLogin wrote in a blog post. "The threat actor was able to access database tables that contain information about users, apps, and various types of keys."

Hoyos added that it's also possible the attacker was able to get the information needed to also be able to decrypt user data.

This isn't the first time OneLogin has reported a data breach. In August 2016 the company reported a breach in the company's Secure Notes service. In that incident the root cause was identified as a bug in the platform that enabled attackers to view notes before they were encrypted.

Possible Threat Vectors 

At this point, it's unclear how the attacker was able to get access to OneLogin's AWS credentials or why it took the company seven hours to detect the unauthorized access.

There are a number of potential vectors by which an attacker could have breached OneLogin's security. In many attacks, some form of directed, spear-phishing email is often found to be a root cause. In such a scenario, an attacker sends a fake phishing email to a privileged account holder and then gets the victim to click or log into a service, which then steals the user's credentials.

With AWS in particular though, there are other potential threat vectors that can place unsuspecting organizations at risk. An April 2017 study from security vendor Threat Stack, found that 73 percent of AWS users were leaving the Secure SHell (SSH) service open to the public internet on their cloud instances. SSH is commonly used to remotely administer a server instance.

The Threat Stack study also found that not all AWS users were using Amazon's CloudTrail auditing service in all zones. CloudTrail can be used by organizations to identify potentially unauthorized access and account anomalies. 

However the attacker was able to get access to OneLogin's AWS credentials, the bottom line is the attack should serve as a wake up call for all organizations to revisit and harden their cloud access credentials and monitoring policies.

Sean Michael Kerner

Sean Michael Kerner

Sean Michael Kerner is an Internet consultant, strategist, and contributor to several leading IT business web sites.