Hacker Attack on Password Manager Heightens Concerns

Print Email

It’s hard to deny the convenience of using a password management program that can maintain or generate all the passwords consumers use these days. All you need to do is remember one password and the password manager remembers all the rest and can even generate complicated passwords a person could never remember to help thwart attacks on personally identifiable information.

The downside to password managers is that they become a single point of failure, and it is that downside that caught up with enterprise software firm OneLogin earlier this week. On Wednesday morning the company alerted its customers to an unauthorized access to OneLogin’s data on U.S. customers.

According to the company:

[A] threat actor obtained access to a set of AWS [Amazon Web Services] keys and used them to access the AWS API [application programming interface] from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.

The break-in resulted in access to information about users, apps and various keys and OneLogin said it “cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”

As we noted from the start, single sign-on programs like OneLogin trade some security for convenience. There’s no question that a target like OneLogin offers more opportunities for a cybercriminal to demand ransom payments or otherwise play havoc with sensitive data.

One way to combat the effects of this kind of attack is to require what is called two-factor authentication. The passwords stolen in this recent attack would be useless to all but an authenticated user who has specified a device (usually a cell phone) on which to receive an authentication code that verifies that the person using the password is also the owner of the account. Two-factor authentication is another trade-off — this time more security for less convenience.