On Wednesday, May 31, 2017 we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore have created a set of required actions:
Passwords for accessing OneLogin should not be reset unless SSO Password is enabled.
Generate new certificates for your apps that use SAML SSO.
For information about generating new certificates, see Creating and Applying Certificates.
For information about providing the new certificate to the SAML app, see the app-specific documentation in the App Integration section.
Generate new API credentials and OAuth tokens.
For legacy API keys, see developers.onelogin.com/api-docs/v1-v3/getting-started/using-the-onelogin-api
For current API keys, see developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials
For refreshing OAuth tokens, see developers.onelogin.com/api-docs/1/oauth20-tokens/refresh-tokens
Generate new directory tokens.
Generate new Desktop SSO tokens and credentials.
If you replicate your directory password to provisioned applications (using the SSO Password feature), force a password reset for your users.
To confirm whether you provision the directory password to an app, go to the Parameters tab for that app and look for the Password parameter. If it is mapped to SSO Password, then you should force a password reset.
Recycle any secrets stored in Secure Notes.
See Secure Notes.
Update the credentials you use to authenticate to 3rd party apps for provisioning.
Some apps use OAuth, others use API keys. For information about the apps you use, view the provisioning doc for those apps in the App Integration section.
Update the admin-configured login credentials for apps that use form-based authentication.
See Adding a Form-Based Application.
Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps.
See Changing Usernames and Passwords for Form-Based Apps.
Replace your RADIUS shared secrets.
See Configuring the RADIUS Server Interface.
If you have questions or need assistance please contact us at email@example.com.