SIGforum.com Main Page The Lounge Who here use a password manager? Password manager OneLogin hacked.
Main Page The Lounge Who here use a password manager? Password manager OneLogin hacked.Go | New | Find | Notify | Tools | Reply | |
Oriental Redneck |
http://www.zdnet.com/article/o...itive-customer-data/ Password manager OneLogin hacked, exposing sensitive customer data UPDATED: The company said that hackers have 'the ability to decrypt encrypted data'. By Zack Whittaker for Zero Day | June 1, 2017 -- 15:47 GMT (08:47 PDT) | Topic: Security Password manager and single sign-on provider OneLogin has been hacked. In a brief blog post, the company's chief security officer Alvaro Hoyos said that it was aware of "unauthorized access to OneLogin data in our US data region," and that it had reached out to customers. Hoyos said that the company had blocked the unauthorized access after the breach and is working with law enforcement. The blog post initially lacked detailed information about the incident, although the post had omitted that hackers had stolen sensitive customer data -- a point that the company had instead only mentioned in an email sent to customers, seen by ZDNet. "OneLogin believes that all customers served by our US data center are affected and customer data was potentially compromised," the email read. Later in the day, the company said in an update: "Our review has shown that a threat actor obtained access to a set of [Amazon Web Services, or AWS] keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US." The company confirmed that the attack appears to have started at 2am (PT), but staff were alerted of unusual database activity some seven hours later, who "within minutes, shut down the affected instance as well as the AWS keys that were used to create it". "The threat actor was able to access database tables that contain information about users, apps, and various types of keys," the company said. The company added that although it encrypts "certain sensitive data at rest," it could not rule out the possibility that the hacker "also obtained the ability to decrypt data". But a spokesperson did not say what kind of data is and isn't encrypted. We have asked for clarity, and will update when we hear back. Some had questioned earlier in the day how the hackers had access to customer data that could ultimately be decrypted. "Am I the only 1 to find it disturbing OneLogin had a decryption method for customer data accessible enough to be grabbed via breach?" said one user on Twitter. The company has advised customers to change their passwords, generate new API keys for their services, and create new OAuth tokens -- used for logging into accounts -- as well as to create new security certificates. The company said that information stored in its Secure Notes feature, used by IT administrators to store sensitive network passwords, can be decrypted. The company also hasn't said how many customers were affected. According to its website, dozens of major multinationals, including ARM, Dun & Bradstreet, The Carlyle Group, Conde Nast, and Dropbox (which a spokesperson disputed in an email), are customers. OneLogin allows corporate users to access multiple web applications, sites, and services with just one password. It's thought that the company has millions of users serving more than 2,000 companies in dozens of countries, according to CrunchBase. The single sign-on provider integrates hundreds of different third-party apps and services, such as Amazon Web Services, Microsoft's Office 365, LinkedIn, Slack, Twitter, and Google services. It's the second such breach in as many years. Last August, the company warned users that its Secure Notes service had been accessed by an "unauthorized user," but it denied that any customer data had been compromised. Updated at 8pm ET: Additional details from the company. Contact me securely Zack Whittaker can be reached securely on Signal and WhatsApp at 646-755–8849, and his PGP fingerprint for email is: 4D0E 92F2 E36A EC51 DAAE 5D97 CB8C 15FA EB6C EEA5. Q | ||
|
Seeker of Clarity |
Yeah, there are a bunch of them out there now. My preference is LastPass with 2 factor auth, If you use one that by design, does NOT (have/keep/need/maintain) a copy of the decryption key, (like LastPass), you can basically ignore when they get breached (and they will). I know it will seem unintuitive to keep all of your passwords "in one basket" so to speak. But the ability to use huge complex and unique passwords for EVERY site/service and then let a password manager handle the mess means that ALL of those sites (large threat surface) are more secure. I can then focus on securing and understanding the one main point of security. I'd recommend it to anyone. https://lastpass.com/support.php?cmd=showfaq&id=6926  | |||
|
| stupid beyond all belief  |
I use norton. Thx for the heads up. What man is a man that does not make the world better. -Balian of Ibelin Only boring people get bored. - Ruth Burke | |||
|
Nullus Anxietas |
This is why I've traditionally been disinclined to store my encrypted keyring on servers not under my direct control. (Which is all "the cloud" is.) I do, now, but, the encrypted keyring is again encrypted in a general file store, not a keyring-specific store. So, not only is the keyring doubly-encrypted, with strong encryption in each case, but, it's buried in with photos, music, notes of no consequence and all manner of other uninteresting cruft. That, in and of itself, is a form of "encryption." (Not unlike the principles behind secure spread-spectrum radio communications, which look essentially like noise.)This message has been edited. Last edited by: ensigmatic, "America is at that awkward stage. It's too late to work within the system,,,, but too early to shoot the bastards." -- Claire Wolfe "If we let things terrify us, life will not be worth living." -- Seneca the Younger, Roman Stoic philosopher | |||
|
| Son of a son of a Sailor  |
WTF is a "threat actor"? -------------------------------------------- Floridian by birth, Seminole by the grace of God | |||
|
A Grateful American |
It is the method, device or person used gain access to a system. Think ISIS. An IED, a car bomb, a Jihadi, the message groups, the some Mosque, some radical teacher, etc., all are the "threat actor". Each are a method to inflict the damage and terrorize. So, whether it is a person, a group, a bit of code, a full program or application, a method such as social engineering and so forth. It all is "the threat actor". Back in the early days, it was "the hack". It coudl be anything, but "the hack" defiend the "tip of the spear" if you will. But, that is the broadbrush generalization, it gets more complex the more you dig and work to understand. As is the "cloud", being a great many small parts that make up the whole, and someone fluid, and somewhat static, some phisical, some virtual, some intellect and some hard code instructions. You cannot simply point at any one thing and call it "the cloud" (internet), so is "the threat actor". "the meaning of life, is to give life meaning" ✡ Ani Yehudi אני יהודי Le'olam lo shuv לעולם לא שוב! | |||
|
| Member |
Perp in common parlance (Pre PC) I should be tall and rich too; That ain't gonna happen either | |||
|
| Member |
On a Mac I use "KeyPass". Local only database. If I need access remotely, I VNC in and open it up (encrypted access)and get the data. I don't trust the "One login Access" model just for this precise reason. I also DO NOT LINK any of my accounts to google, facebook or whatever. If someone wants me they're gonna have to work a bit harder at it. I should be tall and rich too; That ain't gonna happen either | |||
|
| Unapologetic Old School Curmudgeon  |
I use a piece of paper... It will never be hacked Don't weep for the stupid, or you will be crying all day | |||
|
eh-TEE-oh-clez |
No password keeper for me. I use long, unique, complex passwords for each site memorized and based on a system. I keep tiers of passwords. A tier for financial and banking. A tier for my top level email. A tier for shopping websites that keep banking info, a tier for accounts with value (paid services, utilities), and a tier for non sensitive websites (web forums, social media). When I make a new password, I push the password to the top tier, and then push all the passwords down so that I only have to memorize one new password. The passwords are long, complex, and unique, but easy to remember. An example would be "I H8 P@ssword Keepers! 4 BAN" which is case sensitive, uses letters, numbers, and symbols, and has the last 3 letters change with each website it uses. Even if a password is breached, damage is contained to a single tier. | |||
|
Baroque Bloke |
My password manager is local-only too: "mSecure", with 256-bit blowfish encryption. I have it on my iPhone and my MacBook. Serious about crackers | |||
|
| Member |
Tell us, where do you hide the paper?  P226 9mm CT Springfield custom 1911 hardball Glock 21 Les Baer Special Tactical AR-15 | |||
|
| Unapologetic Old School Curmudgeon |
See, you don't know where it is! Hack proof.... Don't weep for the stupid, or you will be crying all day | |||
|
אַרְיֵה |
1Password הרחפת שלי מלאה בצלופחים | |||
|
Member |
Same here. I like it. I only use local storage for the password vault. | |||
|
Drug Dealer |
I keep mine under the keyboard. They'd never think to look there. When a thing is funny, search it carefully for a hidden truth. - George Bernard Shaw | |||
|
| I believe in the principle of Due Process  |
As a child of four can plainly see, in an envelope, hermetically sealed, kept in a mayonnaise jar on Funk and Wagnalls' porch since noon today. Luckily, I have enough willpower to control the driving ambition that rages within me. When you had the votes, we did things your way. Now, we have the votes and you will be doing things our way. This lesson in political reality from Lyndon B. Johnson "Some things are apparent. Where government moves in, community retreats, civil society disintegrates and our ability to control our own destiny atrophies. The result is: families under siege; war in the streets; unapologetic expropriation of property; the precipitous decline of the rule of law; the rapid rise of corruption; the loss of civility and the triumph of deceit. The result is a debased, debauched culture which finds moral depravity entertaining and virtue contemptible." - Justice Janice Rogers Brown | |||
|
Member |
An index card kept in the safe seems like a perfectly good option to me. God bless America. | |||
|
| אַרְיֵה |
Post-It note on the edge of the monitor. הרחפת שלי מלאה בצלופחים | |||
|
Member |
Does anyone here have any experience with the "Logmeinonce" password manager? If so what's your opinion of it? Thanks, | |||
|
| Powered by Social Strata | Page 1 2 3 4 |
 | Please Wait. Your request is being processed... |
|
SIGforum.com Main Page The Lounge Who here use a password manager? Password manager OneLogin hacked.
Main Page The Lounge Who here use a password manager? Password manager OneLogin hacked.© SIGforum 2025