data breach

OneLogin, a major password manager and identity management provider, confirmed on its blog on May 31, 2017 that the company has suffered a major data breach. Noted as a “Security Incident”, the breach allowed unauthorized access to its US data region. While the extent of the breach is still under investigation, Alvaro Hoyos, Chief Information Security Officer of OneLogin notes that the company has reached out to impacted customers to offer specific steps on remediation.

The company has millions of users, and boasts of more than two thousand enterprise customers in 44 countries around the world.

The OneLogin company blog notes “Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount.

While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented.”

The blog also links to the OneLogin compliance page, which lists various compliance rules and assurance, security and privacy programs that OneLogin has implemented, including SOC 2 Type 2 and Truste Certified Privacy.

As a Single Sign On (SSO) provider, OneLogin offers capabilities for enterprise users to access multiple web applications, sites and services with a single password.  The company also provides capabilities for integration of third-party applications so users identities can be synchronized with any number of directories, such as Active Directory, LDAP, Workday, or Google Apps.