OneLogin security breach – Secure Notes exposed

The Cloud-based single sign-on and identity management service provider OneLogin, which is used by more than 1400 enterprise customers in 44 countries, has suffered a breach.

Customers’ Secure Notes, which are used “to securely store information such as license keys and firewall passwords”, were accessed by an unauthorised intruder in cleartext before they had been encrypted.

The intruder was able to view Secure Notes updated between 2 June and 25 August 2016.

In a blog earlier this week, OneLogin’s CIO Alvaro Hoyos explained: “A bug caused these notes to be visible in our logging system prior to being encrypted and stored in our database. We subsequently discovered evidence that an unauthorized user gained access to this system by compromising a OneLogin employee’s password for that system.”

Password security

Exactly how the intruder got hold of the OneLogin employee’s password isn’t known, but one thing we do know is that poor password practices frequently cause breaches, especially when users employ weak passwords and reuse credentials across multiple sites and services.

Other recent password breaches

OneLogin’s breach follows hot on the heels of Dropbox’s announcement earlier this week that more than 68 million customers’ pre-2012 credentials had been compromised, and Opera’s announcement last week that 1.7 million Opera sync users’ account information may have been compromised.

Earlier this year, passwords relating to millions of users of LinkedIn (where the second most common password is, incredibly, ‘linkedin’), MySpace and Tumblr were put up for sale on the dark web – and I wouldn’t be at all surprised if all of these attacks were connected, such is the prevalence of poor password practices.

How you can mitigate the risk to your network

The knock-on effect of a single data breach could jeopardise the security of multiple accounts. In an enterprise context, if your staff are in the habit of using weak passwords, or reusing or sharing their credentials, your network is at risk.

If you’re a manager, it’s essential to train your staff to be aware of information security risks and the threat of phishing, and to have robust information security policies that enforce the use of strong and regularly changed passwords, and proper access management policies that ensure the only people who can access your networks and systems are the ones who should. You should also look into using two-factor authentication where practicable.

ISO 27001 information security best practice

The information security standard ISO 27001 sets out the requirements of a best-practice ISMS (information security management system) that addresses people, processes and technology. All organisations – whatever their size, sector or location – can use ISO 27001 to address the information security threats they actually face, including the poor password practices of their staff.

Help with ISO 27001

IT Governance has been helping organisations implement ISO 27001 for well over a decade, and is your single source for everything to do with ISO 27001 – from the Standard itself to booksdocumentation toolkitstraining coursesconsultancy and software to help you implement an information security management system in your organisation.

Get started with ISO 27001 today >>