The identity and access management service OneLogin, which uses Amazon Web Services (AWS) to store customer data, recently announced that an attacker had "obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the U.S."
The attacker gained access to the system on May 31, 2017 from around 2am PST to around 9am PST, when OneLogin staff was alerted to unusual database activity and blocked the access.
"The threat actor was able to access database tables that contain information about users, apps, and various types of keys," the company stated. "While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data."
The Register reports that a separate notification provided to customers states more explicitly, "All customers served by our U.S. data center are affected; customer data was compromised, including the ability to decrypt encrypted data."
The company is working with law enforcement and with third-party security experts to investigate the breach.
Risks in the Cloud
Greg Foss, manager of security operations at LogRhythm, told eSecurity Planet by email that while cloud services are convenient, there's always risk associated with them, no matter how secure they are. "Companies are placing the protection of sensitive data in the hands of a vendor, and vulnerabilities will happen, regardless of the solution," he said.
"It's important to vet the services that you are taking advantage of, understand the risks, and ensure that you take full advantage of the security controls provided by the vendor," Foss said. "Most importantly, develop a plan for how to respond in the event that a breach of this service occurs."
Evident.io vice president John Martinez said the breach highlights two important points about cloud security management. "For one, organizations need to have an automated, rapid response management plan to handle configuration failures," he said. "Reducing the time to alert on these kinds of issues reduces the time that your applications and customer data are vulnerable to breaches."
"Secondly, to truly defend against attacks targeted at the identity layer of the cloud stack, enterprises need multi-factor authentication (MFA) for all users," Martinez added. "A second validation or authentication method provides another layer of protection around user logins."
Chris Morales, head of security analytics at Vectra Networks, said that while single sign-on offers users easy access to apps and sites, it's also a major target for cybercriminals. "An en-masse data theft at OneLogin has earned the hacker a significant haul of customers' account credentials, including plain text access to passwords," he said. "This data can either be sold on or directly used for further breaches and theft."
According to a recent Digital Shadows report, cybercriminals are increasingly using stolen data like this to launch credential stuffing attacks, automating the process of trying large sets of stolen credentials on login pages.
Last year, according to the report, 97 percent of businesses in the Forbes 1000 had credentials exposed.
To protect yourself, Digital Shadows suggests taking the following key steps:
- Monitor for leaked credentials of your employees
- Monitor for mentions of your company and brand names across cracking forums
- Monitor for leaked credentials of your customers
- Deploy an inline Web Application Firewall
- Increase user awareness
- Gain an awareness of credential stuffing tools
- Implement multi-factor authentication that doesn't leverage SMS
"Many organizations are suffering breach fatigue due to the huge numbers of credentials exposed via not only high profile incidents like those suffered by Myspace, LinkedIn and Dropbox, but also from tens of thousands of smaller breaches," Digital Shadows vice president Rick Holland said in a statement. "But it is critical that businesses arm themselves with the necessary intelligence and insight to manage their digital risk and prevent this problem [of] credential exposure from escalating into an even more severe problem."