OneLogin, a popular single sign-on service, has announced that sensitive data was leaked from its infrastructure during an attack. OneLogin, which is used on many WordPress sites and Magento eCommerce stores, has confirmed that the leaked data could include user information, passwords, API keys, secure notes and other data that could be used compromise user accounts on other services.
If you use OneLogin with your WordPress site, you should have received an email from the company with advice about how to mitigate the risk. If you haven’t received an email, you should log into your OneLogin account for further details or take a look at this post on WordFence, which details some of the lengthy list of mitigation steps that OneLogin advises site owners to implement.
OneLogin is a single sign-on provider. SSO allows a user to log-in to many services with the same ID and password. The most visible manifestation of a single sign-on service is Facebook’s social logins, which allows people with a Facebook account to log-in to thousands of sites and eCommerce stores using their Facebook account.
As you might imagine, to make single sign-on work, the service provider needs to store some data that, if leaked, would be very bad news for anyone using the service. Towards the end of last month, an attacker got hold of AWS keys for one of OneLogin’s US regions. The attacker used those credentials to access servers in the region. OneLogin didn’t notice the breach for seven hours, which is more than enough time to exfiltrate a lot of damaging information.
Security best practices mandate that sensitive data is kept encrypted while at rest on the server. The data stolen from OneLogin was encrypted, but according to the company’s announcement, the attacker also compromised “the ability to decrypt encrypted data.”
The compromise of OneLogin secure notes is particularly worrying, because it’s often used by server administrators to store sensitive network passwords.
If you use OneLogin’s WordPress Single Sign-On plugin on your site, you should immediately follow the mitigation guide provided by OneLogin to reduce the likelihood that your site and any associated servers will also be compromised.
May’s breach was the second in the last year. In August 2016, the company was forced to warn customers that their secure notes may have been compromised.
Although OneLogin is particularly suited to larger enterprise organizations, it’s not the only provider of a WordPress-compatible single sign-on service. Depending on your needs, you might want to take a look at the single sign-on service included in the Jetpack plugin collection, which allows WordPress users to sign-in to self-hosted WordPress sites with their WordPress.com credentials.
SAML Single Sign On by miniOrange is closer to OneLogin in functionality, and is compatible with a wide range of single sign-on Identity Providers, including Google Apps, Azure, Okta, and Salesforce.