OneLogin's customers include Pinterest and Conde Nast.
What's most worrying is that while the company says it encrypts "certain data at rest", it could not rule out the possibility that the hacker also obtained the ability to decrypt the data.
A FIRM CALLED ONELOGIN, that promises to offer solid security and identity management to businesses, has reached out to some customers to let them know that it is as vulnerable as everyone else and has been breached.
Millions of OneLogin customers will need to take urgent action to protect their organisational and third-party accounts, after the single sign-on provider revealed it had been hacked and its user credentials compromised.
"OneLogin's investigation is ongoing, and is aided by independent third-party security experts, as well as law enforcement", Hoyos said.
Customers were warned about the incident in an email yesterday, and OneLogin also posted a short blog post about the problem. In August, the company alerted users that one of its standalone systems had been breached by an unauthorized user.
Customers have been advised to force a password reset for all users, generate new API keys and security certificates for their services, and create new OAuth tokens.
It's the second such breach in as many years.
OneLogin boasts that its service allows employees to set and reset their own passwords without having to go through the information technology department, which sounds like an attractive option for companies looking to reduce their IT workload.
"All customers served by our United States data centre", are potentially vulnerable, according to an email reportedly sent to customers. OneLogin didn't immediately respond to a request for comment. When a breach like this occurs, hackers potentially hold the keys to the kingdom.