Cloud-based Password Manager OneLogin Hacked

Ray Walsh

Ray Walsh

June 5, 2017

Nowadays, people need to remember huge amounts of passwords. For those passwords to be truly secure, they need to be complex enough that they can’t be remembered. Furthermore, it is essential that those randomized passwords – filled with upper and lower case letters, numbers, and symbols – be different for every single account.

Having the same password for more than one account means that if one password is compromised, other logins can also potentially be penetrated. In a time when hackers often sell hacked databases of passwords and credentials on the deep web, the need for robust, complex, and unique passwords has never been more important.

Password Managers

One popular solution for this problem is the use of a password manager. A password manager allows people to access all their unique, strong passwords, in one place: with just one master password. The result is that people (or businesses) can have control over many passwords – while only having to remember one strong password.

In theory, this is a fantastic way of protecting multiple accounts with strong passwords that would otherwise be impossible to remember. The problem, however, is that if someone manages to hack that password manager: they get everything.

It is for this reason that security experts have long espoused the perils of using password managers, likening the use of the popular solution to keeping all your eggs in one basket. This is particularly true of cloud based solutions.

Screenshot from OneLogin’s website.

Worst Case Scenario

For hackers, getting access to a treasure trove of passwords is the equivalent of having hacked multiple accounts in one go. For this reason, password managers have long been considered an immensely attractive target for cybercriminals.

Now, those concerns have been proven correct, with news that the popular password manager OneLogin has suffered a devastating penetration. OneLogin is a firm that is based in San Francisco, it provides a cloud-based password management service for both apps and online accounts.

Last Wednesday, the company admitted that it suffered a hack that has put its customers – including some 2000 businesses – passwords at risk. In an email sent to its subscribers, OneLogin said the following:

“OneLogin believes that all customers served by our US data center are affected and customer data was potential compromised.”

In addition, the firm announced that although it didn’t know for sure, it is possible that the hacker had not only managed to hack into accounts but could also have decrypted them – revealing customers’ passwords.

A blog post made by the firm’s chief information security officer, Alvaro Hoyos, read as follows,

“Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.

While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”


Among those affected is a university in the United States called Elon. Elon is a private university that is situated in North Carolina. On Saturday the university sent an email to all of its students warning them to change their passwords after it was revealed that 1500 accounts may have been affected by the OneLogin breach.

Students were given until 1 pm EST to change their passwords or they would be locked out of their accounts. According to the university, the OneLogin breach affected authentication between Elon students and the Syncplicity backup service that the university uses.

According to the email, although passwords had been compromised no evidence had surfaced that data stored on Syncplicity had been accessed.

It has also been reported that Microsoft Office 365, Google Analytics, LinkedIn, and Slack, use OneLogin. As such, users of those services (particularly from the US) may want to update their passwords.

According to a spokesperson for OneLogin, the firm is trying to “verify the extent of the impact of this incident.” In addition OneLogin has come forward with the following information:

“Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US.”

According to the statement the firm noticed unusual activity approximately seven hours after the original breach is belived to have occurred. At that time they “ shut down the affected instance as well as the AWS keys that were used to create it”.

However OneLogin has confirmed that the hacker “was able to access database tables that contain information about users, apps, and various types of keys,” during the time that they were inside OneLogin’s systems.

What to do if you have been affected

So far, OneLogin hasn’t revealed any information about how many people might have been affected by the cyberattack. However, the company has urged its users to take a few steps in order to protect themselves:

  1. Customers need to change their passwords,
  2. Customers need to generate new API keys for their services.
  3. New OAuth tokens (used for logging into accounts and to create new security certificates) must also be created.

The firm has also revealed that information stored in its Secure Notes feature (which also suffered a hack last August) – used by IT administrators to store sensitive network passwords – may have also been decrypted.

Bad Choices

Financial fraud analyst at Gartner, Avivah Litan, has come forward to reinforce the dangers of using online password managers like OneLogin. “It’s just such a massive single point of failure,” the expert commented before adding,

“This breach shows that other [cloud-based single sign-on] services are vulnerable, too. This is a big deal and it’s disruptive for victim customers, because they have to now change the inner guts of their authentication systems and there’s a lot of employee inconvenience while that’s going on.”

On its website, OneLogin says that a large number of well known multinational corporations such as ARM, Dun & Bradstreet, The Carlyle Group, Conde Nast, and Dropbox are all customers. With that in mind – and considering the amount of passwords that might have been affected – this is definitely one of the most sensitive cyberattacks we have seen this year.

Online VS Offline Password Managers

While Online password managers can be considered more convenient, the drawback is that passwords are stored on a server that can be accessed via the internet. As this hack proves, the trouble with this is that if hackers gain access to the database they gain access to huge amounts of passwords.

Here at we tend to recommend services such as KeePass which provides an end to end encryption solution for password management. These do require more setup, because the software must be downloaded and installed locally. However, the outcome is that stored passwords are encrypted with a key that can be kept on Dropbox, for instance. This means that it is still possible to access passwords when away from home (using a master password).

This massively reduces the risk of them being targeted by hackers. It also solves the problem of purely offline password management that isnt available outside of your computer (unless you also put the keys on a USB stick – and then other problems arise – such as losing it, not being allowed to use it on public computers, and even syncing problems). Sadly, despite being the best solution, password managers with end to end encryption are still the rarest kind

Sadly, despite being the best solution, password managers with end to end encryption are still the rarest kind. This is because users need to remember a master password  -and if they forget it (or lose the key file) – they are locked out of all their passwords. Due to the fact that many people find it hard to remember a strong master password this often becomes a problem, and deters password management firms (like OneLogin) from selecting this much more secure system.

Get a VPN service today

A VPN is the best personal cybersecurity product on the market

Unblock any website with a VPN today

Old School

Finally, there is always something to be said for keeping a well stocked book shelf. Having a bookshelf doesn’t just make you look well read when you have a dinner party, but it also allows you to pull out a random book, open it to page 93, and write down all your passwords and usernames.

This might not be ideal for people living in shared accommodation, and may not even be suitable for those with a jealous lover. However, for many people this is a solid solution that removes all chances of hackers making off with your passwords. In addition, consumers are advised that wherever possible they should use two factor authentication.

Opinions are the writer’s own.

Title image credit: Pressmaster/

Image credits: BeeBright/, faithie/

Ray Walsh

I am a freelance journalist and blogger from England. I am highly interested in politics and in particular the subject of IR. I am an advocate for freedom of speech, equality, and personal privacy. On a more personal level I like to stay active, love snowboarding, swimming and cycling, enjoy seafood, and love to listen to trap music.

14 responses to “Cloud-based Password Manager OneLogin Hacked

  1. KeePass Rijndael or Twofish, later with Argon2. Password Safe Twofish.

    Never let them touch the cloud, include portable ZIPs with your local copies.

    (To make a Portable with Password Safe, “Green” installation, compress the directory.)

    1. Hi AG,

      IMO a Keepass file can be safely stored in the cloud. It doesn’t matter how insecure the cloud service is, as strong encryption will ensure it remains safe.

    2. Hi Douglas,

      Thats ridiculous. Doesnt matter that they may not get into the file, the principle of anyone having it is what you should be imagining. Does that make sense? Secondly, there could be a crack, the NSA likely has a crack for AES/Rijndael thats why they recommend it to us. They can probably bust through it by a magnitude faster than we estimate. There wouldnt be a published crack to AES, thatd be national security territory, and a juicy one that would be. You can operate a USB drive and have the KDBX/PSAFE3 file in triplicate, in your power, as say gold would be but not a certificate for gold from some nameless faceless company in the sky. Password databases shouldnt touch the cloud, period. Not as convenient as one would like, but eh, figure out how do it discrete and old fashioned, sneaker net.

      See also, Cryptomator

      1. Hi AG,

        – I suppose it depends on how paranoid you are, but even the NSA isn’t getting into a TwoFish-256 encrypted file any time soon (even quantum computing will struggle against symmetric ciphers such as this).
        – I am not convinced that the NSA _does_ have a crack for AES, but I agree that NIST certification introduces worries.
        – We must all assess our own threat models, but imo a Keepass file that has been encrypted with a strong cipher can be safely stored any pretty much anywhere.

    1. Seriously, how many security ‘experts’ are warning about the dangers of password managers? You must have worked hard to find this Gartner guru, because most of them are caught in the same bind as the rest of us – security vs. convenience. Almost every security expert you ask will say “Use a password manager and good passwords”. They won’t say “use something memorable” – or “pen and paper”.

      Of course, they will also point out that you are merely scaremongering about LastPass, Douglas – which has not been breached and pretty much cannot be breached. Why not? That end-to-end encryption for which you favour KeePass. Yes, smart people are looking very closely at the software and finding potential risks there – which LastPass generally patches within hours, exactly what a password manager should be doing!

      In the meantime, if you want to be safe keep your passwords close to hand – not on the Internet!

      1. Hi Stephen,

        But as I have pointed out, LastPass has been hacked. Twice. Please see here and here for LastPass’ own official statement’s on the incidents. An AES-256 or Twofish encrypted KeePass file, on the other hand, is effectively uncrackable.

    2. Douglas, again – the hackers only get encrypted garbage! LastPass does not see your passwords or have access to them, as they are encrypted before they leave your device.

      (Maybe I should try it sometime – or maybe I’m even more paranoid than you.)

      1. Hi Stephen,

        Well.. “The investigation has shown, however, that LastPass account email addresses, password reminders, server per user salts, and authentication hashes were compromised.” Sounds serious to me! As I noted in my LastPass Review:

        “Because encryption/decryption is performed in your browser, and only you have the master password and decryption key (these do not leave your computer), LastPass technically uses end-to-end encryption. However…

        LastPass does allow password recovery. It achieves this by making a password hash out your master password + username (salted many times), which is sent to the LastPass servers. To recover this master password, it must be combined with your username (email address) and password.”

        This means the data obtained by hacker during the last breach would (at least in theory) be enough for hackers to compromise users’ master passwords. I am not aware of any evidence that this actually happened, but it is most certainly possible.

  2. Industry Cloud computing
    Headquarters San Francisco, CA
    OneLogin announced a partnership with Deutsche Telekom’s T-Systems to resell OneLogin into Germany and the European Union
    OneLogin is backed by the venture firms Charles River Ventures, The Social+Capital Partnership and Scale Venture Partners.
    Rogue user access, August 2016
    Customer data exposed decrypted, May 2017
    In May 2017, the company detected unauthorised access in their US data region.
    “customer data was compromised, including the ability to decrypt encrypted data.”
    That indicates that the hacker obtained a level of access that some services don’t even create in the first place.
    End to end encryption and (nearly) zero knowledge systems exist to prevent this kind of hack.

    Hobby Secure email
    Headquarters not at the CERN (european research so corrupted & low-level)
    On 18 March 2015, ProtonMail received US$2 million from Charles River Ventures.
    In order to mitigate the DDoS attack – YES , the ddos attack (the link is on the protonmail site not a fake one pls !)is this one : – (attacked not only the datacenter, but also routers in Zurich, Frankfurt, and other locations where our ISP has nodes) – against us, ProtonMail partnered with Radware, one of the world’s premier DDoS protection companies.
    Radware’s corporate headquarters are located in the U.S. and international headquarters are located in Tel Aviv.
    it means several closed-partnership with military defense.
    Zurich : (n.b : zurich is one of the financial center for germany funds)
    Frankfurt : (n.b : frankfurt was one of the hidden-headquarter of the nsa)
    Genova/Lausanne : (n.b : can you prove that there are not a back-up in usa/isreal data-centers ? do you really think that this place is safe for your data ? (jewish/usa bankers-funds excepted) ?)
    ProtonMail maintains two redundant data centres in Lausanne and Attinghausen … and zurich and francfurt and … so many lies & bad communication strategies …
    These 2 app are owned by -or the toys of- very bad guys : avoid.
    I conclude that proton-mail is compromised & hacked (and onelogin too)_ hotspot _ (is it a scoop ? no …).

    Disclaimer : Every year, new products are spreading the world and most of time these one are made by propaganda , for the fun …
    Enjoy !

    reference Douglas Crawford _verified_: To the best of my knowledge, OneLogin and ProtonMail are not related.
    Indeed, ProtonMail operates out of Switzerland and has no data centers located in the US.
    ProtonMail has also not been hacked, although it did suffer a DDoS attack … lol.

    1. Hi fidji_land,

      I don’t dispute much of what you say, but as far as I know, ProtonMail’s partnership with Radware only extends so far as providing DDoS protection for its servers. Most importantly, emails sent between ProtonMail users are e2e encrypted, and emails can also be sent e2e encrypted to non-members.

  3. one login & protonmail have the same boss:sponsor (venture & e.u); both are connected/redirected inside the u.s.a by their servers (like most cloud app , one here:official location and a copy in the usa:backup) ; both were hacked (sold:replaced by an official order) at the same period ; both are spreading the world about their secure management, their universal quality , both are not recommended : connections of these app with an untrust third party is clear.
    # Nitrokey could manage your password in a safe & secure way & could encrypt your data before to be uploaded with your keys on your pc.

    1. Hi karma,

      I do not believe your comments to be correct. To the best of my knowledge, OneLogin and ProtonMail are not related. Indeed, ProtonMail operates out of Switzerland and has no data centers located in the US. ProtonMail has also not been hacked, although it did suffer a DDoS attack.

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Offer
Get NordVPN for only