Sunday, June 4, 2017

Carlyle Group Among Hacked OneLogin Customers

HotHardware reported a serious hack on centralized password manager OneLogin:

"We detected unauthorized access to OneLogin data in our US data region," OneLogin disclosed in a blog posting this week.
This initial notice was frustratingly lacking in detail, and customers were left to assume the worst with regards to the severity of the attack. However, OneLogin has since updated its blog posting with more details, including the unfortunate news that hackers were able to gain access to the company's AWS keys.
The hackers were then able to use those keys to "access the AWS API from an intermediate host with another, smaller service provider in the US." The company reports that the intrusion began at 2AM on May 31st, but it wasn't until seven hours later that OneLogin staff detected any anomalies and was able to cut off access. That is a rather lengthy period of time for the "threat actors" to have access to the company's database tables.

OneLogin also provided this rather dour warning:

While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers.

Those actions of course include resetting passwords, generating new API keys and creating new security certificates.

It is reported that OneLogin provides services to over 2,000 companies (including Yelp, Midas, Pinterest, Pacific Life, The Carlyle Group, Conde Nast, and Pandora) and has millions of individual users. OneLogin allows users to integrate with services like Amazon Web Services, Office 365 and Google ecosystem.
TechCrunch had a portion of the e-mail sent to customers:
All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.
Carlyle most recent podcast tackled cybersecurity.  Their advice could be timely.  Any egg would come from vendor selection not from direct investment.

OneLogin received funding in three rounds, the first $4.7 million from Charles River Ventures, the second $15 million from Social Capital and Scale Venture Partners funded the last round at $25 million. 

I ran across an interesting story that likely is not related.  IndiaWest reported on May 13, 2017:

Skyhigh Networks named Dheeraj Khanna as VP of technical operations. Khanna joins Skyhigh from OneLogin, where he built a team from the ground up as the VP of technical operations. 
Mr. Khanna's new employer Skyhigh Networks may be in a position to make hay from OneLogin's security failure. 

Carlyle is a OneLogin customer and its IT team is working to keep its data safe.  The question is who used OneLogin at Carlyle?  Possibilities include employees, founders and/or limited partners.  Limited partners do not like surprises, especially those placing their data at risk.