August 31, 2016
OneLogin has announced a server security breach that allowed an intruder to take a peek at customer Secure Notes thanks to a bug in the company’s logging procedures.
The San Francisco-based startup, which provides a relatively popular SSO (Single-Sign-On) service, has detailed a series of misfortunate events that led to a serious and embarrassing security breach.
Hacker had access to the server for almost two months
OneLogin says that the data breach started when an attacker managed to gain access to one of its employees’ credentials for a server used to store logs and analytics information.
The attacker accessed that system between July 2, 2016, and August 25, when the company discovered the intrusion.
While in normal circumstances the attacker would have been greeted by a bunch of boring and useless log lines, OneLogin says that a bug in the logging system exposed data from Secure Notes in clear text.
Bug stored encrypted data in cleartext in OneLogin’s logs
OneLogin offers Secure Notes to its customers as a notepad utility that stores text information on the company’s servers in an encrypted format. On its website, the company even recommends customers to use Secure Notes for storing passwords and license keys.
According to Alvaro Hoyos, OneLogin’s Chief Information Security Officer, the Secure Notes system that encrypts the data using multiple levels of AES-256 encryption had a bug that caused the notes to be visible in the logs in their cleartext form.
The intruder had access to all Secure Notes created and edited between July 25 and August 25, the period in which the bug was present in the system, and the attacker accessed the server.