On Wednesday, OneLogin—a company that allows users to manage logins to multiple sites and apps all at once—announced it had suffered some form of breach. Although it’s not clear exactly what data has been taken, OneLogin says that all customers served by the company’s US data centre are impacted, and has quietly issued a set of serious steps for affected customers to take.
“Today we detected unauthorized access to OneLogin data in our US region,” the company wrote in a blog post.
Notably, the public blog post omitted certain details that OneLogin mentioned to customers in an email; namely that hackers have stolen customer information.
“Customer data was compromised, including the ability to decrypt encrypted data,” according to a message OneLogin sent to customers. Multiple OneLogin customers provided Motherboard with a copy of the message.
The message also directed customers to a list of required steps to minimize any damage from the breach, which in turn gave an indication of just how serious this episode might be.
According to copies of those steps, users are being told to generate new API keys and OAuth tokens (OAuth being a system for logging into accounts); create new security certificates as well as credentials; recycle any secrets stored in OneLogin’s Secure Notes feature; have end-users update their passwords, and more.
“Dealing with aftermath,” one customer told Motherboard. “This is a massive leak.”