back to article Identity management outfit OneLogin sugar coats impact of attack

Identity management outfit OneLogin has revealed it's suffered a security incident that's seen “unauthorized access to OneLogin data in our US data region”, but has offered rather scarier information in different documents. The company blog describes only "unauthorized access". In emails sent to customers seen by The Reg the …

  1. Solarflare

    For those who would like to see the message you need to be logged in to see:

    http://i.imgur.com/5hEyYgo.png

    (originally posted by a helpful gent on reddit)

    Personally, given this massive ballsup and the fact that they have had problems before:

    https://www.theregister.co.uk/2016/08/31/onelogin_breached_hacker_finds_cleartext_credential_notepads/

    I would personally suggest adding some steps on to the guide.

    12. Stop using OneLogin, start protecting your indentity management data.

    13. Block all corporate access to OneLogin, in case anyone ever has the thought to use again in the future.

    1. Stoneshop Silver badge
      Pirate

      I would personally suggest adding some steps on to the guide.

      These combined would actually supersede step 1 as listed.

      Step 12 wold be something like, ahem, strongly discouraging anyone you know to even think of using OneLogin, with step 13 being the activation of a set of landsharks to go and find if OneLogin's usage policies regarding immunity against claims for damage are as solid as their security.

  2. allthecoolshortnamesweretaken

    So, not that far from a worst case scenario, but no worries.

    1. Anonymous Coward
      Anonymous Coward

      It could have been a Chernobyl, but tis merely a Fukushima.

  3. Destroy All Monsters Silver badge

    Putin or Nork fingered soon.

    Probably on the next cycle of the USUK media machine.

  4. Frank Bitterlich
    FAIL

    Comparison...

    From their marketing blurb:

    "Enjoy Peace of Mind – When your identity management system is secure and reliable, everyone in the enterprise enjoys peace of mind. OneLogin truly values transparency and building trust [...]"

    From their TOS:

    "ONELOGIN DOES NOT WARRANT THAT THE SERVICE IS ERROR-FREE OR THAT OPERATION OF THE SERVICE WILL BE SECURE OR UNINTERRUPTED.

    [...]

    TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, IN NO EVENT SHALL ONELOGIN, ITS AFFILIATES, [...] BE LIABLE FOR (A) ANY INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL OR EXEMPLARY DAMAGES, INCLUDING WITHOUT LIMITATION DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA OR BUSINESS OR OTHER INTANGIBLE LOSSES, [...] UNDER NO CIRCUMSTANCES WILL ONELOGIN BE RESPONSIBLE FOR ANY DAMAGE, LOSS OR INJURY RESULTING FROM HACKING, TAMPERING OR OTHER UNAUTHORIZED ACCESS OR USE OF THE SERVICE OR YOUR ACCOUNT OR THE INFORMATION OR CONTENT CONTAINED THEREIN."

    Pro tip: Read the Terms of Service before signing up to a service, especially when it's a security-critical one. If their own legal department doesn't trust the service, run. As fast as you can.

  5. John Brown (no body) Silver badge
    Facepalm

    Having many and multiple sets of login credentials can be a pain but this is why I try to avoid the use of any service offering single login to multiple services. It's a bit concerning how many websites and services offer the opportunity to login via your (possibly non-existant) Facebook account.

    Convenience trumping single point of failure concerns, yet again.

    1. TReko
      Facepalm

      All your password eggs...

      ....in one hackable basket.

  6. Anonymous Coward
    Anonymous Coward

    ALL YOUR SSO ARE BELONG TO US!!!

    generating all those SAML certs again, ouch.

  7. Anonymous Coward
    Linux

    Single sign-on, identity management and the Cloud

    How about you keeping all your personal encryption keys, digital certificates and digital signatures on a hardware dongle that one keeps about ones person. That way, there is no central repositary to be compromised. Assuming the various security services don't already have that data, since it resides in the cloud .. in the cloud .. in the cloud.

  8. fidodogbreath Silver badge

    Remediation

    The blog says the company is "actively working to determine how best to prevent such an incident from occurring in the future and will update our customers as these improvements are implemented."

    "OK, team, we've changed the database admin password to P@ssword1234. Twelve characters, upper and lower case, special character, and numerals. The password meter says it's super secure now. Don't worry about writing it down; on your way out you can pick up a pre-printed Post-it note for your monitor."

    1. Kiwi
      Coat

      Re: Remediation

      on your way out you can pick up a pre-printed Post-it note for your monitor."

      But if the victims had kept their creds on a post-it note on their monitor, then they wouldn't be victims of this attack, or any other password/credential manager failure/attack!

  9. Anonymous Coward
    Anonymous Coward

    And now spear fishing

    We've seen some pretty convincing spear fishing attacks against our company rise out of this as well. The data they used was legit and had various people fooled. Be on alert and expect more bad things to happen if you used OneLogin.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022