
Onelogin security breach - cameronfactor
https://www.onelogin.com/blog/may-31-2017-security-incident
======
throwawhey1
I don't want to say too much, but I have personal knowledge of internal
details at OneLogin. The company was burdened with excessive technical debt.
Management did not consider security to be a priority.

Multiple vulnerabilities were discovered that would and should have been
company-ending if they had become public, due to both their obscene level of
severity and the extraordinary level of negligence demonstrated. There were
without question many more of these types of bugs.

I sincerely hope that they've gotten their act together. I have no reason to
believe they have, and many to believe that they have not. This is a press
release that I have expected, and am genuinely surprised has not happened
sooner.

Throwaway for obvious reasons.

~~~
tthadani
Hi there -

My name is Trisha Thadani, a reporter for the San Francisco Chronicle. I'm
writing about the OneLogin data breach, and am interested in talking to you
about this. If you're comfortable doing so, feel free to shoot me an email at
tthadani@sfchronicle.com or give me a call at 4157778495.

Hope to hear from you -

Trisha

------
ejcx
I actually have worked in security at startups my entire career. Before the
tons of negative HN posts get posted. 2 things.

First, hug ops. I've been there before and will be again OneLogin. Same day
notification and detected it by yourself is so great. It sounds very positive.
Transparent and publicly acknowledging the issue as soon as possible. More
information will come out people, it takes days or weeks to put together the
whole story.

Take notes. Don't try to wait, folks. The first thing you should be doing
after mitigation is figuring out how to communicate with your customers. I'm
excited to read more as they learn more, but so far they are handling this
very well.

~~~
nullnilvoid
We have been using OneLogin as our SSO. We have had positive experience with
it. That said, I am eager to know more about the scope of this breach and
mitigations.

------
BinaryIdiot
Not really any details in that post. As a company offering a Cloud IAM I would
expect some top notch security and while I understand that doesn't mean they
would be "hacker proof" I'm surprised they need to go through an independent
firm just to figure out the how and the extent of the intrusion.

This happened less than a year ago, too!
[https://www.onelogin.com/blog/august-2016-incident](https://www.onelogin.com/blog/august-2016-incident)

~~~
abrookewood
I think the use of an independent firm is supposed to reassure everyone that
they are taking it seriously and aren't going to brush it under the carpet.
It's the same reason why companies use independent firms to do penetration
testing etc, rather than simply stating that these are managed internally.

~~~
BinaryIdiot
Sure and I get doing that _in addition to_ some work internally. But the way
this was written gave me the impression that someone broke in, they don't know
anything about it and are passing it off to someone else.

Maybe that's the wrong impression but with virtually zero details contained
within the post regarding the intrusion it certainly doesn't inspire much
confidence.

------
mag00
If you're a OneLogin customer trying to figure out what you're supposed to do
now, this is what you're supposed to do:

[https://support.onelogin.com/hc/en-
us/articles/115002695483?...](https://support.onelogin.com/hc/en-
us/articles/115002695483?flash_digest=48a505b52958eba0712cb07e1cc751da3e7e43c2)

(A logged out and "won't be updated" version:
[https://pastebin.com/2eAtMyEv](https://pastebin.com/2eAtMyEv))

Take special note of the "secure notes" feature.

Do your engineers store infrastructure secrets, (like AWS Access Keys /
Secrets) within it?

The instructions indicate that these "Secure Notes" are likely compromised and
an adversary has the ability to decrypt them. If your answer was yes, a bad
guy has easy access to your environment.

Additionally, if you're feeling extra cautious, you should look into malicious
activity within any dashboards or logs provided by apps you authenticate with
OL into. For instance, any sort of "recent logins" feature.

Lastly: It's sort of unclear to me what the exposure for any potentially
leaked multifactor integrations might be. For instance, a DUO integration +
secret key, if they leaked, and if a credential roll for MFA integrations need
to happen.

~~~
yread
I don't understand why do you need to login to see the scope and mitigations

------
noahmbarr
Having a breach where they provide absolutely no details about the breadth or
depth of the breech makes this even worse.

Onelogin's essential promise is to be a service so secure that they can be
trusted to store your clear, plain-text passwords for all your other
services....

Our CISO is going to have a hard time defending continued use of this service.

~~~
senectus1
_Not a user of this service_ But honestly I think they've done very well.

It was detected today, they shut it down, they have reported it and gotten a
third party to assist in investigating it.

What are you expecting ? 100% disclosure before they know the full accounting
themselves? I see no point in disclosing information they haven't verified as
being accurate and relevant. They can't verify and vet the information that
quickly... Posting incorrect information is just as bad as posting not enough.
I think they're doing exceedingly well in comparison to most other
organisations in this space.

------
andy_ppp
I do sometimes wonder about giving every customer separate databases and
putting in firewalls (of varying kinds) between each piece of infrastructure,
using vault to manage and grant access, check summing changes to peoples
accounts (and possibly requiring some obscure system for reading info in each
database), and in the end making everything very difficult even if a hacker
gets root access to one machine, say, inside your application. Ideally they
wouldn't have access to everything.

I'm terrified for example of taking in copies of peoples Passports or Social
Security Numbers as part of creating Stripe managed accounts; I'm responsible
for confirming they are who they say they are, fine, however I don't want to
keep copies of passports lying around on my servers forever. Is it sensible to
delete them after they have been reviewed by two people? Should we encrypt
them after use and store that encryption key lookup in a separate instance of
vault on a different network/AWS account?

Firstly, startups don't have the resources usually to dedicate to these things
and secondarily there seems to be a need for a standard set of principles in
building less hackable applications. Getting behind the giant metal door
should not be enough to become completely compromised, but is there a
solution, guide or standard or once I launch am I constantly going to be
looking over my shoulder wondering when the breach will happen at Stripe or
Google or my own company? It's only a matter of time right?

------
hoodoof
There should be a link at the top of the HN page for "security breach
notifications". Then everyone can safely ignore them as background noise,
which they seem to have become.

------
mifreewil
Just 9 months ago:
[https://news.ycombinator.com/item?id=12398041](https://news.ycombinator.com/item?id=12398041)

------
peterburkimsher
If new flaws are found, the headline could read "Onelogin zero day".

