Technology

Hacker Attack on Password Manager Heightens Concerns

Thinkstock
Paul Ausick
Published:
Last Updated:

It’s hard to deny the convenience of using a password management program that can maintain or generate all the passwords consumers use these days. All you need to do is remember one password and the password manager remembers all the rest and can even generate complicated passwords a person could never remember to help thwart attacks on personally identifiable information.

The downside to password managers is that they become a single point of failure, and it is that downside that caught up with enterprise software firm OneLogin earlier this week. On Wednesday morning the company alerted its customers to an unauthorized access to OneLogin’s data on U.S. customers.

According to the company:

[A] threat actor obtained access to a set of AWS [Amazon Web Services] keys and used them to access the AWS API [application programming interface] from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.

The break-in resulted in access to information about users, apps and various keys and OneLogin said it “cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”

As we noted from the start, single sign-on programs like OneLogin trade some security for convenience. There’s no question that a target like OneLogin offers more opportunities for a cybercriminal to demand ransom payments or otherwise play havoc with sensitive data.

One way to combat the effects of this kind of attack is to require what is called two-factor authentication. The passwords stolen in this recent attack would be useless to all but an authenticated user who has specified a device (usually a cell phone) on which to receive an authentication code that verifies that the person using the password is also the owner of the account. Two-factor authentication is another trade-off — this time more security for less convenience.

“The Next NVIDIA” Could Change Your Life

If you missed out on NVIDIA’s historic run, your chance to see life-changing profits from AI isn’t over.

The 24/7 Wall Street Analyst who first called NVIDIA’s AI-fueled rise in 2009 just published a brand-new research report named “The Next NVIDIA.”

Click here to download your FREE copy.
Read more: Technology, Personal Finance

Thank you for reading! Have some feedback for us?
Contact the 24/7 Wall St. editorial team.

Latest from 24/7

Prediction: TSMC Will Be Worth More Than Nvidia By 2026

Is Marvell (MRVL) 2025's Top AI Stock? The Path to a $150 Share Price

Crowdstrike Holdings, Inc. (CRWD) Price Prediction and Forecast 2025-2030

Prediction: A Stock Split for Meta Platforms May Be Right Around the Corner