OneLogin Says Breach Exposed Ability To Decrypt Customer Data (krebsonsecurity.com)

← Back to Stories (view on slashdot.org)

OneLogin Says Breach Exposed Ability To Decrypt Customer Data (krebsonsecurity.com)

Posted by msmash on Thursday June 1, 2017 @06:40AM from the security-woes dept.

Reader tsu doh nimh writes: OneLogin, an online service that lets users manage logins to sites and apps from a single platform, says it has suffered a security breach in which customer data was compromised, including the ability to decrypt encrypted data, KrebsOnSecurity reports. "A breach that allowed intruders to decrypt customer data could be extremely damaging for affected customers. After OneLogin customers sign into their account, the service takes care of remembering and supplying the customer's usernames and passwords for all of their other applications."

9 of 64 comments (clear)

Min score:

Reason:

Sort:

FAIL by Mister+Transistor · 2017-06-01 06:50 · Score: 3, Insightful

You
Had
ONE
JOB
! ! !

--
-- You are in a maze of little, twisty passages, all different... --
I was hacked and my slashdot is account abused. by Anonymous Coward · 2017-06-01 06:53 · Score: 2, Funny

You can easily see it for yourself. There are many obnoxious posts here using my name.
Fail by DontBeAMoran · 2017-06-01 06:54 · Score: 2

I don't need to have my account hacked to post obnoxious crap. I can do it on my own!

--
#DeleteFacebook
When will you people learn by DontBeAMoran · 2017-06-01 06:56 · Score: 3, Insightful

My passwords are in a little paper book on my computer desk. If a hacker has access to it, I've got bigger problems.

--
#DeleteFacebook
1. Re:When will you people learn by TWX · 2017-06-01 07:23 · Score: 4, Insightful
  
  I've realized it's just safer to not discuss my password policy.
  
  --
  Do not look into laser with remaining eye.
2. Re:When will you people learn by Pascoea · 2017-06-01 09:20 · Score: 2
  
  I call bullshit. Most passwords are required to be at least 8 characters. Kinda hard to tattoo in a 3pt font.
I don't understand... by hackel · 2017-06-01 07:52 · Score: 3, Insightful

Wouldn't the very first rule for any kind of platform like this, be that passwords are not decryptable without the user providing their key/password? I mean, that it's designed in such a way that this is a actually *impossible* without a brute-force breaking of the encryption? How could this ever happen? We need more technical details. Otherwise the level of incompetence would be downright astounding.
1. Re:I don't understand... by bill_mcgonigle · 2017-06-01 07:59 · Score: 2
  
  Look into KeePassX if you like that style of tool. Bruce's was good for its time.
  https://en.wikipedia.org/wiki/...
  
  --
  My God, it's Full of Source!
  OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
Server Side encryption, what were they thinking? by bongey · 2017-06-01 12:14 · Score: 2

I figured OneLogin would be decrypting/encrypting on the local PC, NOPE those idiots does it on the server side, hack the server and it's lights out. What were they thinking? https://support.onelogin.com/h...
Was worried for second that lastpass was doing something stupid also, no lastpass does all decrypting/encrypting on the client side. AES-256 in javascript on the client local pc and in c++ for their browser extension. Basically lastpass only stores an encrypted file in the cloud, and the file gets downloaded and decrypted only with your password on the client. https://lastpass.com/whylastpa...