Password management provider OneLogin notified its customers on May 31 that it detected unauthorized access to...

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

user data.

The company, which provides single sign-on and identity management services for enterprises, issued a statement alerting the public to the OneLogin security breach. However, the original statement from OneLogin's CISO Alvaro Hoyos was vague about the details of the attack.

"Today we detected unauthorized access to OneLogin data in our US data region," Hoyos wrote in the initial blog post. "We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident."

The initial statement from Hoyos about the OneLogin security breach didn't offer any more details than that and linked to a page on OneLogin's compliance program where vulnerability reports can be submitted; a day later, Hoyos updated the blog post with further details on the timing, methods and customer impact of the incident.

"The threat actor was able to access database tables that contain information about users, apps, and various types of keys. While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers," Hoyos wrote.

Despite saying that the company reached out to its customers "with specific recommended remediation steps," the email sent to customers was also lacking specifics about the OneLogin security breach.

After repeating much of the same information included in the public statement, the email linked to a support page that users can only view after logging into their OneLogin account.

Emails sent to some OneLogin customers also included the detail that "customer data was compromised [in the OneLogin security breach], including the ability to decrypt encrypted data."

Motherboard reported that the support page for the data breach told users to generate new API keys and OAuth tokens, create new security certificate and credentials, recycle any secrets stored in the Secure Notes feature that allows users to store information such as passwords and license keys, and have end users update their passwords.

This is the second OneLogin security breach that the company has suffered in the last year. In August 2016, the company informed its customers that hackers gained access to the Secure Notes feature. The information in Secure Notes was protected by AES-256 encryption, but a vulnerability in OneLogin's implementation made the encrypted data visible as plain text.