Cyber Incident Victim: OneLogin

On May 31, 2017, at approximately 2:00 AM PST, an attacker gained unauthorized access to OneLogin's US data region infrastructure by exploiting compromised AWS keys. The threat actor used these keys to access the AWS API from an intermediate host linked to a smaller US-based service provider, then created multiple AWS instances within OneLogin's environment to conduct reconnaissance activities. The intrusion remained undetected for approximately seven hours until OneLogin's security team identified unusual database activity around 9:00 AM PST. Within minutes of detection, the company terminated the malicious AWS instances and revoked the compromised keys to contain the breach. Forensic analysis revealed the attacker accessed database tables containing customer information, application data, and various cryptographic keys. OneLogin notified law enforcement and engaged an independent security firm to investigate the intrusion's origin and full scope.

The breach potentially exposed sensitive customer data, with OneLogin confirming the attacker may have obtained decryption capabilities for encrypted information stored in affected systems. All customers using OneLogin's US data center infrastructure were impacted, requiring comprehensive security remediation including API credential resets, OAuth token regeneration, and authentication system rebuilds. OneLogin communicated specific remediation steps directly to affected customers while continuing its investigation to determine how the AWS keys were compromised. This marked the second significant security incident for the company within a year, following an August 2016 breach where an unauthorized user accessed cleartext login data through a vulnerable log storage system. The company's CISO Alvaro Hoyos publicly acknowledged both breaches, emphasizing ongoing efforts to prevent future incidents while working to implement infrastructure improvements based on investigation findings.