cancel
Showing results for 
Search instead for 
Did you mean: 

Password manager OneLogin hit by data breach

tag
ChargedUp
Senior Contributor

Password manager OneLogin hit by data breach

Message 1 of 7
6 REPLIES 6
Revelate
Moderator Emeritus

Re: Password manager OneLogin hit by data breach


@ChargedUp wrote:

Not good!

BBC Article - OneLogin Data Breach


My company makes heavy use of OneLogin and many of us lost sleep when we were notified around 10:30 pm dealing with the issue.

 

Wasn't immediately critical but the entire organization will have a mandatory password change in the coming days; the full extent wasn't known but OLI told us to assume everything had been compromised, but I have to admit their notification to their customers was on point and they were forthcoming with information as it became available.




        
Message 2 of 7
805orbust
Valued Contributor

Re: Password manager OneLogin hit by data breach

My Secretary uses one of those online services and I think she's nuts. About 3 years ago she put all my company passwords in there for "safekeeping" and I blew a gasket... terrible idea I think. Of course I was also mad at her a year ago for mistakenly setting up 2 autopays with BOA for my wife's truck (it wasn't on purpose) BUT I'm not so annoyed now that we got the title in the mail yesterday 2.5 years early so there's that.  Smiley Very Happy

 

Blessing AND malediction?



Message 3 of 7
DaveInAZ
Senior Contributor

Re: Password manager OneLogin hit by data breach


@805orbust wrote:

My Secretary uses one of those online services and I think she's nuts. About 3 years ago she put all my company passwords in there for "safekeeping" and I blew a gasket... terrible idea I think. Of course I was also mad at her a year ago for mistakenly setting up 2 autopays with BOA for my wife's truck (it wasn't on purpose) BUT I'm not so annoyed now that we got the title in the mail yesterday 2.5 years early so there's that.  Smiley Very Happy

 

Blessing AND malediction?


Yeah, I think it's pretty terrible idea as well. With it being so publicly known what a treasure trove of data these kind of services have, they're a top target for hackers.

 

The company passwords printed on paper, safely locked up is more my idea of "safekeeping".

Message 4 of 7
Revelate
Moderator Emeritus

Re: Password manager OneLogin hit by data breach

One Login isn't so much a password vault in the typical use case (Secure Notes notwithstanding and things like LastPass Enterprise are local anyway for personal data unless you choose to share it in the corporate vault, which is another terrible idea) as it is a single-singon authentication source, and can be tied to 2FA like in our case Duo.  Effectively all of our SaaS provided applications in our entire enterprise besides Google services auths through OLI.

 

Problem is they stored passwords in a hash rather than storing a token for whatever (possibly sloppy) reason; would've figured they'd simply do it like anyone smart does with CC's and PCI these days: don't store that crap locally and delegate the authentication back.  Presumably they saved money on bandwidth and some transaction costs, and this is what we get instead I guess.




        
Message 5 of 7
mitchblue
Valued Contributor

Re: Password manager OneLogin hit by data breach

I use Lastpass for personal home use.. I think something happened with them a couple years ago, not sure if severe or not.. but I'm comfortable with them. It beats having the same 1 or 2 ten digitit password for 50 sites..

FICO® 8 Scores 821 FICO® 9 Equifax 826 (Updated 02-7-23)
Message 6 of 7
805orbust
Valued Contributor

Re: Password manager OneLogin hit by data breach

Totally agree Dave



Message 7 of 7
Advertiser Disclosure: The offers that appear on this site are from third party advertisers from whom FICO receives compensation.