Identity and access management firm OneLogin has shared more details on the data breach that hit its U.S. data center this week, including information on the method of attack and impact on customers.

OneLogin, whose services are used by more than 2,000 enterprises across 44 countries, informed customers on May 31 that on the same day it had detected and blocked unauthorized access at its U.S. data center.

While the company initially provided only few details, citing an ongoing law enforcement investigation, it did mention that the attackers may have obtained the ability to decrypt encrypted data. This and the long list of actions that customers are required to complete following the incident has led many to believe that the breach was serious.

OneLogin shared more information on Thursday and clarified that the attacker gained access to its systems using compromised Amazon Web Services (AWS) keys. The hacker used the stolen keys to access the AWS API from an intermediate host with a different, smaller US-based service provider.

“Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance,” explained Alvaro Hoyos, CISO of OneLogin.

The attack appears to have started on May 31 at around 2 am PST and the affected AWS instance and the keys leveraged by the hacker were disabled roughly seven hours later after OneLogin staff noticed unusual database activity.

After some OneLogin customers complained about the lack of information on what type of user data has been compromised, the company clarified that the threat actor gained access to a database containing data on users, apps and various types of keys.

“While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers,” Hoyos said.

OneLogin previously reported suffering a data breach in August 2016, when the company warned users that hackers may have gained access to unencrypted Secure Notes data.

Related Reading: Data Stolen in DocuSign Breach Used for Email Attacks

Related Reading: Hackers Steal Customer Card Data From GameStop

Related Reading: Cloudflare Leaked Sensitive Customer Data

Eduard Kovacs is an international correspondent for SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Previous Columns by Eduard Kovacs:

Tags: