OneLogin Password Manager Sends Customers Long List of Fixes After Breach

Web Services // United States

Password manager OneLogin acknowledged a breach of its systems, but reports say the company is downplaying how significant the incident may be to customers.

The company in a blog post said it detected unauthorized access to its U.S. data region, which it has since blocked and is working with an independent security firm to investigate and reported it to law enforcement.

“While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps,” the company said.

However, the public blog post didn’t acknowledge what other company messages said, including that customer data was compromised and “the ability to decrypt encrypted data,” according to The Register.

Multiple customers sent Motherboard messages from OneLogin that listed what customers should do to remediate the breach. In addition to changing passwords, the company suggested creating new API keys, authentication tokens, security certificates and credentials, as well as "recycling" stored notes.

“That long list might perhaps be why OneLogin's been a bit brief in public: it's a lot of stuff to get done and could set tongues-a-wagging if the extent of the risk became widely known,” The Register said.