"OneLogin believes that all customers served by our U.S. data center are affected and customer data was potentially compromised", the email read.
Affected OneLogin users can visit this page for a handy 11-step guide to securing your data, if that's possible, or read through it over at El Reg.
Published reports, however, say OneLogin informed customers that the hackers indeed got that capability.
In 2015, rival LastPass said hackers obtained some user information - although not actual passwords.
Merkel: Germany, China must expand partnership in 'times of global uncertainty'
Li used Thursday's meeting with Merkel to reaffirm China's commitment to "steadfastly" implement the Paris climate agreement, even if the U.S. pulls out.
OneLogin is a username and password management company. A message sent from OneLogin to its customers said "customer data was compromised, including the ability to decrypt encrypted data".
The company is also encouraging users to update any API and OAuth credentials associated with third-party directories, such as G Suite, generate and apply new Desktop SSO tokens, recycle any secrets stored in Secure Notes, update any credentials used to authenticate to third-party apps for provisioning and update any admin-configured login credentials that may be used for form-based authentication.
That long list might perhaps be why OneLogin's been a bit brief in public: it's a lot of stuff to get done and could set tongues-a-wagging if the extent of the risk became widely known.
What's most worrying is that while the company says it encrypts "certain data at rest", it could not rule out the possibility that the hacker also obtained the ability to decrypt the data. "We want our customers to know that the trust they have placed in us is paramount", Hoyos wrote.
There are a number of potential vectors by which an attacker could have breached OneLogin's security. Two-factor authentication is another trade-off - this time more security for less convenience.