OneLogin, a company that sells software that claims to be a secure way for companies to use multiple cloud applications, has experienced a scary-looking data breach, the company disclosed on its corporate blog on Wednesday.
OneLogin’s service manages passwords and logins for multiple applications and sites for business users. The attack started May 31, 2017 at about 2 a.m. PT, and OneLogin staff were alerted to it about seven hours later, when they shut down access.
A letter sent to a OneLogin customer, who shared it with Fortune, includes slightly more—and much scarier—information than was made public in the blog. According to the email, the attacker “was able to access database tables containing information about users, apps, and various types of keys. while we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data.”
Get Data Sheet, Fortune’s technology newsletter
This snafu will likely confirm suspicions of traditional IT pros that companies should be wary of running business software off site in Amazon Web Services (AMZN) or other cloud data centers. That’s a contention that has been roundly denied by cloud providers, which say they have more security expertise than most businesses. Their position is that security concerns are more pronounced when technology is run on-premises.
Another OneLogin customer told tech news site Motherboard that the OneLogin snafu is a “massive leak.”
In the blog post, OneLogin chief information security officer Alvaro Hoyos said an unknown party gained unauthorized access to OneLogin’s servers running in the United States. In a follow-up, Hoyos added that this party did so by obtaining a set of AWS keys and used them to gain access to the AWS application programming interface via another service provider. (An API is the technical term for the way applications talk to each other, and APIs allowing developers to hook up pre-written software components so they work together.)
While Amazon runs its computers and software under lock and key, tens of thousands of users use APIs to access Amazon services.
David Mytton, chief executive of London-based Server Density, a server monitoring company, cautioned against overreaction. “The cloud should be more secure because you outsource to experts who can invest so much more in security than you could,” he said.
“Nothing is 100% secure and running your own single sign-on system is probably more risky but at least it’s isolated to your own system. The issue is not just a breach of OneLogin itself but the fact they store credentials to log into so many systems for so many customers. They’re also not doing a good job on the crisis communication front which is disappointing. They should be explaining more about how their security works, what went wrong, how much they invested etc.”
What this means is that the hacker may have accessed private, sensitive customer data. The irony that a software service built and sold as a way to provide security may have been used to access and steal data is not lost on those who are watching. “This is a catastrophe and the risk all the cloud naysayers were warning us about,” according to the customer who shared the OneLogin email with Fortune. He requested anonymity because he is not authorized to speak to the media.
San Francisco-based OneLogin, claims more than 2,000 business customers in 44 countries, including Conde Nast, Pinterest, Yelp, and Zendesk. It competes with other companies that provide password and identity management like Okta (OKTA) and Ping Identity. Google and Microsoft also offer similar services.
Fortune contacted OneLogin for comment and will update this post upon response.