On 31 May 2017, OneLogin — an enterprise single sign-on and identity management provider serving approximately 2,000 enterprise customers — suffered a breach in which an attacker obtained and used AWS access keys to access OneLogin’s US data region. The attacker was able to use the AWS API access to access encrypted customer data and obtain decryption keys, giving them access to plaintext customer data including OneLogin’s customer data, apps, and their own secrets (which are managed through OneLogin’s platform). OneLogin disclosed the breach the same day it was detected and immediately terminated the attacker’s access. The breach was particularly serious because OneLogin serves as a single sign-on provider — meaning that compromised OneLogin credentials or secrets could cascade to provide access to all applications that customers use OneLogin to authenticate with. OneLogin warned all affected customers that the threat actor may be able to decrypt encrypted data as the attacker may have obtained the ability to decrypt data. OneLogin advised all customers to generate new API credentials, OAuth tokens, and security certificates, and to recycle all secrets stored in OneLogin’s Secure Notes. The breach highlighted the critical nature of identity provider security and the catastrophic impact of a breach affecting an SSO platform used across thousands of enterprise applications.