Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • November 21, 2017, 05:08 PM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Author Topic: PSA: OneLogin Breached.  (Read 953 times)

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,999
    • View Profile
    • Donate to Member
PSA: OneLogin Breached.
« on: June 01, 2017, 04:07 PM »
Single sign-on provider OneLogin has experienced a breach. If you or your company uses OneLogin to sign in to applications, or if you use any of their other services, you need to be aware of this and may need to take several actions immediately.

In the past 24 hours, OneLogin sent out the following notice about a security incident:

“On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.”

(More at link on Wordfence)


Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,402
    • View Profile
    • Donate to Member
Re: PSA: OneLogin Breached.
« Reply #1 on: June 02, 2017, 06:44 AM »
O_o ...Why would they even have the ability to decrypt someone's data on the server side in the first place ... Isn't that supposed to be a no-no?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,999
    • View Profile
    • Donate to Member
Re: PSA: OneLogin Breached.
« Reply #2 on: June 02, 2017, 07:53 AM »
O_o ...Why would they even have the ability to decrypt someone's data on the server side in the first place ... Isn't that supposed to be a no-no?

It seems like it would be, especially for a SSO service.  I'm sure if queried, they would have some sort of BS answer.

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 8,140
    • View Profile
    • The Blog of Deozaan
    • Donate to Member
Re: PSA: OneLogin Breached.
« Reply #3 on: June 02, 2017, 02:21 PM »
So... I don't use OneLogin, as far as I'm aware. I never even heard of it before this. But maybe some sites I use use it?

Is there a list of affected sites I need to check?

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 8,999
    • View Profile
    • Donate to Member
Re: PSA: OneLogin Breached.
« Reply #4 on: June 02, 2017, 04:40 PM »
So... I don't use OneLogin, as far as I'm aware. I never even heard of it before this. But maybe some sites I use use it?

Is there a list of affected sites I need to check?

That's a good question.  OneLogin is an SSO provider that bridges the logins between multiple sites- usually businesses and such.  Like, I know my company uses it to bridge between a lot of different disparate services, so we don't have to continue to login.  But I don't know what SSO provider they use.

For personal use not in a corporate environment, I don't know of anything that I use that uses SSO.  But it's hard to tell, for example my bank interfaces with turbotax and quicken and another bank.  I presume that's done through SSO, as I had to set up the link.  But what do they use?  Beats the hell out of me.

Tuxman

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,938
    • View Profile
    • Donate to Member
Re: PSA: OneLogin Breached.
« Reply #5 on: June 03, 2017, 09:14 AM »
Oh, wait - you mean, it's not a great idea to store your passwords on other people's computers?