OneLogin Customer Data Compromised

Login credential management platforms are valuable tools for organizing and securing a business’s or individual’s account usernames and passwords. While password management platforms simplify the process of creating and managing secure account credentials, they are not a 100% solution for account security practices at your business.

On May 31, 2017, OneLogin, a credential management platform, publicly announced the firm fell victim to a security incident. OneLogin’s CISO Alvaro Hoyos formally acknowledged “customer data was compromised, including the ability to decrypt encrypted data.”

This incident is an example of why businesses require response plans and additional security measures to mitigate risks posed by third-party vendors. Soteria recommends the following proactive and responsive security measures to better protect your business against inevitable risks posed by third-parties:


1. Create new passwords for all accounts potentially compromised.

If you are made aware that your account passwords are at risk, it is important to change passwords promptly. This action will make it more challenging for a cybercriminal to access your account.

2. Set up two-factor authentication.

Two-factor authentication (2FA)  requires a user to have knowledge of a password and access to an additional item, such as a cell phone, to access an account. Most popular email, social media, and finance websites offer 2FA settings that can be easily enabled and set up with a valid phone number. Another alternative is providing security keys, stored on a physical USB device,  that can validate the user attempting to login to an account.

3. Generate new API Keys.

In the event of a security incident, ensure your IT or product development team is aware of the incident. It may be necessary for these teams to change API keys, which are  unique codes that authorize the transfer of  information between your business or product and another vendor’s. In the event a vendor your firm uses is breached, resetting API keys is a simple–yet important–step to take.

4. Establish an incident response plan.

In the event a similar incident occurs at your firm, it is imperative your business has already outlined appropriate steps to be taken to respond to incidents caused by third-party vendors. Ensuring your employees know who to contact in the event they are made aware of a security incident that could impact your business is a critical security practice.