Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
Privacy Security The Internet

OneLogin Says Breach Exposed Ability To Decrypt Customer Data (krebsonsecurity.com) 64

Reader tsu doh nimh writes: OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data, KrebsOnSecurity reports. "A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer's usernames and passwords for all of their other applications."
This discussion has been archived. No new comments can be posted.

OneLogin Says Breach Exposed Ability To Decrypt Customer Data

Comments Filter:
  • FAIL (Score:4, Insightful)

    by Mister Transistor ( 259842 ) on Thursday June 01, 2017 @01:50PM (#54527693) Journal

    You
    Had
    ONE
    JOB
    ! ! !

    • THIS!

      Their entire reason for existing is security. How can you say you are a security company and you get hacked on a regular basis?
    • by TWX ( 665546 )

      I remember the first time we were offered these kinds of services and I thought to myself that this would be a great way to find all of one's access compromised absolutely everywhere.

      Sure, a security-company should by definition be the most secure business, but this has often proven to not be the case.

    • Yep, part of what the company was selling was security. They knew they were going to be a big fat target, with a lot of eggs in their basket. I can't fault them, because at least they admitted the breach. However, they should consider better encryption mechanisms. LastPass has been attacked a few times, but they have weathered the storm.

      It might be that they need to re-architect their setup, with defense in depth.

      • I can't fault them, because at least they admitted the breach.

        So, If I take money from you to guard your house and I fall alseep and your house gets robbed multiple [slashdot.org] times [hackerone.com] you aren't going to fault me because I admit that I fell asleep?

  • by Anonymous Coward

    You can easily see it for yourself. There are many obnoxious posts here using my name.

  • this is why I use password safe synced on icloud
    nobody is going to compromise password safe because it is open source
    and apple cant be breached

  • by DontBeAMoran ( 4843879 ) on Thursday June 01, 2017 @01:56PM (#54527745)

    My passwords are in a little paper book on my computer desk. If a hacker has access to it, I've got bigger problems.

  • by Anonymous Coward

    Why does OneLogin have access to customer data???

  • putting all your eggs in one basket makes the basket very attractive!

    • by green1 ( 322787 )

      And yet every time we talk about password security, the general consensus on Slashdot is to use a password manager so that you can have strong passwords. And every time I bring up the "all your eggs in one basket" problem I'm told that it isn't an issue because --insert hand waving here---
      And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.

      • And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.

        That's overly simplistic. In the case of LastPass, what's stored on the internet is an encrypted blob of my passwords. My master password is never sent to LastPass or anywhere on the internet. The real dangers of LastPass are a weak master password or local in-browser exploits and spoofs. If you've got a good master password, breaking the encryption via brute force isn't computationally feasible.

        You have to ask yourself what you feel is the biggest danger: password re-use or weak passwords (because unle

  • At one point I checked a lot of solution to keep my passwords, and PasswordSafe [pwsafe.org] (from Bruce Schneier) is certainly the best one, I can also put my database on gdrive or whatever without fear.

  • ...a special class of "Moron" for people who would sign up for such a service.
    • by green1 ( 322787 )

      And that "class" is "a large percentage of Slashdotters" because every time we discuss password security there's always a large number of people recommending one or another of these sorts of services as the be-all end-all of password security.

    • Are you saying SSO is stupid in principle, or something about OneLogin's brand of SSO is stupid in particular?

  • by hackel ( 10452 ) on Thursday June 01, 2017 @02:52PM (#54528375) Journal

    Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption? How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astounding.

    • Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption?

      LastPass works this way. You need something with a fully inspectable front-end and hopefully a code audit or two.

      How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astoun

    • Look into KeePassX if you like that style of tool. Bruce's was good for its time.

      https://en.wikipedia.org/wiki/... [wikipedia.org]

    • The nature of the breach isn't entirely clear. It's possible that the passwords are encrypted, and that the encryption wasn't broken. There are other kinds of exploits and intrusions.

    • by bongey ( 974911 )

      Thought the same thing as KeePassX or Lastpass that both do encryption on the client side PC. Nope OneLogin does it on the server, brain dead way to do password vault, break the server , you have the clients passwords. https://support.onelogin.com/h... [onelogin.com]

  • This is why I keep all my passwords on a post-it note in my desk drawer. I used to keep it on my monitor but the bezel is too small now.
    Hey, where'd the post-it go?! I swear it was in this drawer.

    • by green1 ( 322787 )

      You joke, but it all depends on what you are securing against.

      If my computer is in my house, then there's nothing that someone can get from that post it note than they can get from all sorts of other things already there. So why not have it on a post-it?

      If someone gets as far as the post-it note, my problems are far bigger than some random person posting to Slashdot under my name.

  • If, instead of "onelogin" it were called what it actually is "a basket for your eggs", maybe then people wouldn't put all of their passwords into it.

    Perhaps, one shouldn't put all of one's eggs into one basket. Just saying. Maybe "security" isn't about putting everything in one place.

    Oh wait, what an old fashioned way of thinking. Let's modernize it shall we? Give all of your sensitive and valuable stuff to one person to hold -- oh yeah, and trust them both to keep it all safe and to not use it themselv

  • by bongey ( 974911 ) on Thursday June 01, 2017 @07:14PM (#54530565)

    I figured OneLogin would be decrypting/encrypting on the local PC, NOPE those idiots does it on the server side, hack the server and it's lights out. What were they thinking? https://support.onelogin.com/h... [onelogin.com]
    Was worried for second that lastpass was doing something stupid also, no lastpass does all decrypting/encrypting on the client side. AES-256 in javascript on the client local pc and in c++ for their browser extension. Basically lastpass only stores an encrypted file in the cloud, and the file gets downloaded and decrypted only with your password on the client. https://lastpass.com/whylastpa... [lastpass.com]

  • I have never understood the push for single sign-on systems.

Consultants are mystical people who ask a company for a number and then give it back to them.

Working...