Stories
Slash Boxes
Comments

SoylentNews is people

posted by martyb on Friday June 02 2017, @05:23AM   Printer-friendly
from the correct-horse-battery-stapler dept.

OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data.

Headquartered in San Francisco, OneLogin provides single sign-on and identity management for cloud-base applications. OneLogin counts among its customers some 2,000 companies in 44 countries, over 300 app vendors and more than 70 software-as-a-service providers.

A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer's usernames and passwords for all of their other applications.

In a brief blog post Wednesday, OneLogin chief information security officer Alvaro Hoyos wrote that the company detected unauthorized access to OneLogin data.

"Today we detected unauthorized access to OneLogin data in our US data region. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorized access happened and verify the extent of the impact of this incident. We want our customers to know that the trust they have placed in us is paramount."

"While our investigation is still ongoing, we have already reached out to impacted customers with specific recommended remediation steps and are actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented."

[...] Update 7:54 p.m ET: OneLogin posted an update to its blog with more details about the breach:

“Our review has shown that a threat actor obtained access to a set of AWS keys and used them to access the AWS API from an intermediate host with another, smaller service provider in the US. Evidence shows the attack started on May 31, 2017 around 2 am PST. Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance. OneLogin staff was alerted of unusual database activity around 9 am PST and within minutes shut down the affected instance as well as the AWS keys that were used to create it.”

Source: KrebsonSecurity

See also:
Ars Technica


Original Submission

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by Bobs on Friday June 02 2017, @04:28PM (4 children)

    by Bobs (1462) on Friday June 02 2017, @04:28PM (#519423)

    I use a password manager.

    It allows me to keep track of hundreds of different complex passwords.

    Works well.

    But, it is a prime attack vector and I try to operate under the assumption that eventually somebody will get access to a copy of the file.

    So I do a few things to make it less appealing:
    The store is encrypted.
    Auto-communication from it and my web browsers is disabled.
    Most of the entries have incomplete and incorrect information in them.
    Every site has unique password, security questions, bio data, etc
    The file is not shared online.

    So when somebody gets a copy of it they will still have to work at it to get useful info, and hopefully will decide it is enough of a PITA that they give up and move on to the next person.

    Sort-of like putting bars on your house windows: a thief can still get thru them but why bother when they can just go next door where it is easier?

    Starting Score:    1  point
    Karma-Bonus Modifier   +1  

    Total Score:   2  
  • (Score: 2) by Gaaark on Friday June 02 2017, @05:56PM

    by Gaaark (41) on Friday June 02 2017, @05:56PM (#519477) Journal

    I use a (linux desktop) password manager, try to make long long long passwords (18-28 characters) of stuff i can easily(?) remember (basically the horse battery etc type password but with some misspellings) and...
    ...drum-roll...

    i write it down. In a book. Beside the computer. Because my memory sucks and if something goes wrong with the password manager.....

    So if i am robbed at home i am humped.
    Consolation is, the book has other stuff in the front to make you think it is not a password manager book.

    Go ahead. Rob me. My computer will take your picture and mail it to me.

    --
    --- Please remind me if I haven't been civil to you: I'm channeling MDC. ---Gaaark 2.0 ---
  • (Score: 2) by dbe on Friday June 02 2017, @06:01PM (2 children)

    by dbe (1422) on Friday June 02 2017, @06:01PM (#519481)

    Interesting,
    Can you share the name of that password manager?

    >> Auto-communication from it and my web browsers is disabled.
    so you copy and paste, or does it have some kind of keyboard emulation.

    Also how do you handle multi device/mobile/tablets connections?
    The physical key product I mentioned could be used apparently with an USB OTG dongle to type the passwords in android (not verified, I don't own it).

    Thanks
    Cheers

    • (Score: 0) by Anonymous Coward on Saturday June 03 2017, @01:09AM

      by Anonymous Coward on Saturday June 03 2017, @01:09AM (#519664)

      I don't know which they use, but passpack.com has a "local" mode which works fine for my needs. Specifically it's careful about keeping RAM clean, and decrypts only the key(s) you ask for.

      Serially recording in a dead tree book, with carbon copy (literally!) going to a safety deposit every full page, is also highly functional, if you trust your and your bank's physical security. (Don't forget to shred or burn the carbon sheets when they wear out too!)

    • (Score: 2) by Bobs on Friday June 09 2017, @07:43PM

      by Bobs (1462) on Friday June 09 2017, @07:43PM (#523232)

      I use 1Password:
            - https://1password.com/ [1password.com]

      Good luck!