Slashdot Mirror

← Back to Stories (view on slashdot.org)

OneLogin Says Breach Exposed Ability To Decrypt Customer Data (krebsonsecurity.com)

Posted by msmash on from the security-woes dept.

Reader tsu doh nimh writes: OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data, KrebsOnSecurity reports. "A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer's usernames and passwords for all of their other applications."

64 comments

  1. FAIL by Mister+Transistor · · Score: 3, Insightful

    You
    Had
    ONE
    JOB
    ! ! !

    --
    -- You are in a maze of little, twisty passages, all different... --
    1. Re:FAIL by ArhcAngel · · Score: 1

      THIS!

      Their entire reason for existing is security. How can you say you are a security company and you get hacked on a regular basis?

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    2. Re:FAIL by TWX · · Score: 1

      I remember the first time we were offered these kinds of services and I thought to myself that this would be a great way to find all of one's access compromised absolutely everywhere.

      Sure, a security-company should by definition be the most secure business, but this has often proven to not be the case.

      --
      Do not look into laser with remaining eye.
    3. Re:FAIL by ctilsie242 · · Score: 1

      Yep, part of what the company was selling was security. They knew they were going to be a big fat target, with a lot of eggs in their basket. I can't fault them, because at least they admitted the breach. However, they should consider better encryption mechanisms. LastPass has been attacked a few times, but they have weathered the storm.

      It might be that they need to re-architect their setup, with defense in depth.

    4. Re:FAIL by ArhcAngel · · Score: 1

      I can't fault them, because at least they admitted the breach.

      So, If I take money from you to guard your house and I fall alseep and your house gets robbed multiple times you aren't going to fault me because I admit that I fell asleep?

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    5. Re:FAIL by ctilsie242 · · Score: 1

      The fact they bothered admitting a breach happened is a lot better than most companies. I personally would go elsewhere, because Duo and LastPass have stood the test of time, but with the fact that "security has no ROI" is a core motto in a lot of places, just admitting it is better than nothing.

    6. Re:FAIL by __aadota8673 · · Score: 0

      Any company can get hacked. It is usually the fault of people, and every company employs people. I am a Sr. Systems Administrator, and I manage 80k laptops for an unnamed 3 letter agency. It is my job to secure those laptops by making sure Weekly windows patching completes. Sometimes when the system goes to reboot, and application takes a long time to exit or has a save-as dialog open. Windows then presents the user with a force shutdown or cancel screen. Guess which option they pick? Patches can get missed for Months this way, and eventually their system gets hacked. There is no other way out of this besides fixing the broken user, and I don't have the authority do do that Yet. I got my screw driver set and hammer on standby though.

    7. Re:FAIL by slashrio · · Score: 1

      It's the fault of Windows, that should give a warning that within 24 hours it will shut down, and then do it.

      --
      "Trump!!", the new Godwin.
    8. Re:FAIL by runningduck · · Score: 1

      LastPass has had some recent problems as well.

      https://www.theguardian.com/te...
      https://blog.lastpass.com/2017...

      --
      -rd
    9. Re:FAIL by fuzznutz · · Score: 1

      The fault is most definitely Windows. None of my Linux machines require a reboot to update except for the kernel. Since NT was first released in 1993, Microsoft still hasn't figured out how to do this. I updated a couple frozen machines this week that required a double reboot after Windows Update ran. How is this even a thing?

    10. Re:FAIL by __aadota8673 · · Score: 0

      This is exactly what is wrong with you Linux freaks. I have been working IT in Silicone Valley for 20+ years and have seen it all, and you have always been the same. You try to be technically correct, but you are always technically incorrect. I have an presentation document open. I patch my system. How often does your window manager need to be restarted when you patch your window manager? How about your graphics drivers? Serving up user sessions to the web - can't touch the IP stack. Windows can absolutely update w/o a reboot, and for many things it does. Restarting a lot of stuff including reloading some kernel modules means bouncing your applications. Just because you in your basement don't use any real applications and pretty much have a blank system serving up a NAS mountpoint for porn to your laptop does not mean that killing everything and restarting it while "never shutting down" is "never shutting down."

    11. Re: FAIL by Anonymous Coward · · Score: 0

      NT could hot patch since at least XP. I have never seen it in action but the compiler still adds hot patch space to every function. Not that any of this is is a good excuse but whatever...

    12. Re: FAIL by Anonymous Coward · · Score: 0

      Why don't you have a network block/throttle automatically kick in for approval on u patched systems? No reason you can't index the mac addresses of unpatched systems to a network red list for throttling or straight up blocking. This is all open source zero capex cost stuff.

      Now if your skill or more likely, your management is shit, that's a separate issue.

  2. I was hacked and my slashdot is account abused. by Anonymous Coward · · Score: 2, Funny

    You can easily see it for yourself. There are many obnoxious posts here using my name.

    1. Re:I was hacked and my slashdot is account abused. by __aaclcg7560 · · Score: 1

      If you want entertainment, read criemer!

    2. Re:I was hacked and my slashdot is account abused. by Anonymous Coward · · Score: 0

      I see them all over the place. They're even making posts in support of the orange Russian idiot running America into the ground.

  3. Fail by DontBeAMoran · · Score: 2

    I don't need to have my account hacked to post obnoxious crap. I can do it on my own!

    --
    #DeleteFacebook
  4. including the ability to decrypt encrypted data by Anonymous Coward · · Score: 1

    this is why I use password safe synced on icloud
    nobody is going to compromise password safe because it is open source
    and apple cant be breached

  5. MWAHAHAHAHA by Anonymous Coward · · Score: 0

    I'm in your intertubes and drinkins your milkshake!!

  6. When will you people learn by DontBeAMoran · · Score: 3, Insightful

    My passwords are in a little paper book on my computer desk. If a hacker has access to it, I've got bigger problems.

    --
    #DeleteFacebook
    1. Re:When will you people learn by TWX · · Score: 4, Insightful

      I've realized it's just safer to not discuss my password policy.

      --
      Do not look into laser with remaining eye.
    2. Re:When will you people learn by Anonymous Coward · · Score: 0

      janit0r hax0r

    3. Re:When will you people learn by DontBeAMoran · · Score: 1

      Janitor? In my freakin' house? Nope.

      --
      #DeleteFacebook
    4. Re:When will you people learn by Anonymous Coward · · Score: 0

      My password tattooed on my dick.

    5. Re:When will you people learn by nine-times · · Score: 1

      On the other hand, a simple burglar could get access to something placed on your desk. And a small fire could rob you of all your passwords.

    6. Re:When will you people learn by Pascoea · · Score: 2

      I call bullshit. Most passwords are required to be at least 8 characters. Kinda hard to tattoo in a 3pt font.

    7. Re:When will you people learn by Anonymous Coward · · Score: 0

      I know. I can see the filth.

      Oh. Wait. Shouldn't have spilled the beans. But now that we have, you should not do that since you will go blinder.

    8. Re:When will you people learn by Anonymous Coward · · Score: 0

      Janitor? In my freakin' house? Nope.

      Teenage children?

      Wife who wants to check your browser history or credit card statements?

    9. Re:When will you people learn by DontBeAMoran · · Score: 1

      Nope.

      --
      #DeleteFacebook
    10. Re:When will you people learn by DontBeAMoran · · Score: 1

      http://imgur.com/UHGIx

      --
      #DeleteFacebook
    11. Re:When will you people learn by DontBeAMoran · · Score: 1

      That's the "I've got bigger problems" part.

      --
      #DeleteFacebook
    12. Re:When will you people learn by trawg · · Score: 1

      I've realized it's just safer to not discuss my password policy.

      This is why I don't bitch about my banks online

    13. Re:When will you people learn by nine-times · · Score: 1

      I don't know. I'd consider "someone got ahold of all my passwords" to be a bigger problem than "someone stole my TV".

    14. Re:When will you people learn by DontBeAMoran · · Score: 1

      I don't have a TV, you insensitive clod!

      --
      #DeleteFacebook
  7. But LastPass is totes secure right? by Anonymous Coward · · Score: 0

    Right!!!????

    Looks like it's time to go back to using yellow sticky notes.

  8. Onelogin by Anonymous Coward · · Score: 0

    to steal them all

  9. Re: I was hacked and my slashdot is account abused by Anonymous Coward · · Score: 0

    Any security conscious slashdotter would be running cleanmypc and apk's hosts file generator and would be safe from hacking.

  10. Too much access by Anonymous Coward · · Score: 1

    Why does OneLogin have access to customer data???

  11. In other news by bravecanadian · · Score: 1

    putting all your eggs in one basket makes the basket very attractive!

    1. Re:In other news by green1 · · Score: 1

      And yet every time we talk about password security, the general consensus on Slashdot is to use a password manager so that you can have strong passwords. And every time I bring up the "all your eggs in one basket" problem I'm told that it isn't an issue because --insert hand waving here---
      And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.

    2. Re:In other news by Dutch+Gun · · Score: 1

      And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.

      That's overly simplistic. In the case of LastPass, what's stored on the internet is an encrypted blob of my passwords. My master password is never sent to LastPass or anywhere on the internet. The real dangers of LastPass are a weak master password or local in-browser exploits and spoofs. If you've got a good master password, breaking the encryption via brute force isn't computationally feasible.

      You have to ask yourself what you feel is the biggest danger: password re-use or weak passwords (because unless you're extraordinarily disciplined, that's the result of not using one), or the danger of an encrypted blob being remotely accessed and then somehow cracked? Personally, I'm going to bet on strong encryption, and make sure that all my passwords are long, per-site-unique, and complete gibberish.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    3. Re:In other news by Anonymous Coward · · Score: 0

      And yet every time we talk about password security, the general consensus on Slashdot is to use a password manager so that you can have strong passwords. And every time I bring up the "all your eggs in one basket" problem I'm told that it isn't an issue because --insert hand waving here--- And yet, we know that any time your passwords are on the internet, they are vulnerable. No matter what has been done to "secure" them.

      You can leave multiple encrypted copies of your password files all over the place and they shouldn't be vulnerable if you've used a halfway decent password and the typical AES encryption. In the car, at the office, at your parent's house, with your lawyer with the copy of your will etc.

  12. PasswordSafe FFS by Frederic54 · · Score: 1

    At one point I checked a lot of solution to keep my passwords, and PasswordSafe (from Bruce Schneier) is certainly the best one, I can also put my database on gdrive or whatever without fear.

    --
    "Science will win because it works." - Stephen Hawking
    1. Re:PasswordSafe FFS by hackel · · Score: 1

      Windows-only garbage most people install from a binary blob without compiling it themselves and has network access? No, thanks.

    2. Re:PasswordSafe FFS by green1 · · Score: 1

      So there's no way of knowing if it's secure, because it's a blob nobody has access to. And it doesn't work on most devices (who ONLY uses their PC these days and doesn't need password access on their phone?)

      So it's both useless, and a security nightmare... good work!

    3. Re:PasswordSafe FFS by Frederic54 · · Score: 1

      What? no, it exists for zillions platform, see https://pwsafe.org/relatedproj...

      Also and you can compile it yourself, source are available:
      https://github.com/pwsafe/pwsa...

      --
      "Science will win because it works." - Stephen Hawking
    4. Re:PasswordSafe FFS by Frederic54 · · Score: 1

      What? no, it exists for zillions platform, see https://pwsafe.org/relatedproj...

      Also and you can compile it yourself, source are available:
      https://github.com/pwsafe/pwsa...

      --
      "Science will win because it works." - Stephen Hawking
    5. Re:PasswordSafe FFS by Anonymous Coward · · Score: 0

      Nobody should install a binary blob for their password manager, but compiling it yourself from verified sources and comparing the checksum of the files against the checksums published on various forums for the same files ... SHOULD give you enough assurance you're getting a vetted product you can trust.

  13. There has to be... by Sqreater · · Score: 0

    ...a special class of "Moron" for people who would sign up for such a service.

    --
    E Proelio Veritas.
    1. Re:There has to be... by green1 · · Score: 1

      And that "class" is "a large percentage of Slashdotters" because every time we discuss password security there's always a large number of people recommending one or another of these sorts of services as the be-all end-all of password security.

    2. Re:There has to be... by nine-times · · Score: 1

      Are you saying SSO is stupid in principle, or something about OneLogin's brand of SSO is stupid in particular?

  14. I don't understand... by hackel · · Score: 3, Insightful

    Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption? How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astounding.

    1. Re:I don't understand... by bill_mcgonigle · · Score: 1

      Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption?

      LastPass works this way. You need something with a fully inspectable front-end and hopefully a code audit or two.

      How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astounding.

      Look into who was funding the company.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    2. Re:I don't understand... by bill_mcgonigle · · Score: 2

      Look into KeePassX if you like that style of tool. Bruce's was good for its time.

      https://en.wikipedia.org/wiki/...

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    3. Re:I don't understand... by nine-times · · Score: 1

      The nature of the breach isn't entirely clear. It's possible that the passwords are encrypted, and that the encryption wasn't broken. There are other kinds of exploits and intrusions.

    4. Re:I don't understand... by bongey · · Score: 1

      Thought the same thing as KeePassX or Lastpass that both do encryption on the client side PC. Nope OneLogin does it on the server, brain dead way to do password vault, break the server , you have the clients passwords. https://support.onelogin.com/h...

  15. Post-it Security by mentil · · Score: 1

    This is why I keep all my passwords on a post-it note in my desk drawer. I used to keep it on my monitor but the bezel is too small now.
    Hey, where'd the post-it go?! I swear it was in this drawer.

    --
    Corruption is convincing someone that the selfless ideal is the same as their selfish ideal.
    1. Re:Post-it Security by green1 · · Score: 1

      You joke, but it all depends on what you are securing against.

      If my computer is in my house, then there's nothing that someone can get from that post it note than they can get from all sorts of other things already there. So why not have it on a post-it?

      If someone gets as far as the post-it note, my problems are far bigger than some random person posting to Slashdot under my name.

  16. One everything to rule the all by Anonymous Coward · · Score: 0

    no thanks

    captcha: shabby

  17. What's the point of these services? by Anonymous Coward · · Score: 0

    gpg .pass.txt.gpg; grep slashdot pass.txt; shred pass.txt; sleep 3; clear # Assumes a terminal that lacks the ability to scroll

    If you use passwords on computers besides your home computer, you can keep .pass.txt.gpg on a floppy disk in your pocket protector. I'd also recommend storing words that remind you of the passwords, but have no resemblance to the actual password (e.g. custodian = S+a11man_manS+all).

  18. But wait it was the highest rated per Forrester by Anonymous Coward · · Score: 0

    Forrester nails it! http://get.onelogin.com/2015ForresterWave.html

  19. That's not a breach. by holophrastic · · Score: 1

    If, instead of "onelogin" it were called what it actually is "a basket for your eggs", maybe then people wouldn't put all of their passwords into it.

    Perhaps, one shouldn't put all of one's eggs into one basket. Just saying. Maybe "security" isn't about putting everything in one place.

    Oh wait, what an old fashioned way of thinking. Let's modernize it shall we? Give all of your sensitive and valuable stuff to one person to hold -- oh yeah, and trust them both to keep it all safe and to not use it themselves.

    Better?

  20. Server Side encryption, what were they thinking? by bongey · · Score: 2

    I figured OneLogin would be decrypting/encrypting on the local PC, NOPE those idiots does it on the server side, hack the server and it's lights out. What were they thinking? https://support.onelogin.com/h...
    Was worried for second that lastpass was doing something stupid also, no lastpass does all decrypting/encrypting on the client side. AES-256 in javascript on the client local pc and in c++ for their browser extension. Basically lastpass only stores an encrypted file in the cloud, and the file gets downloaded and decrypted only with your password on the client. https://lastpass.com/whylastpa...

  21. Never understood by trevc · · Score: 1

    I have never understood the push for single sign-on systems.