OneLogin Password Manager Breached

What do you love about LastPass? What do you hate about it? Tell us why you like it, why you don't, and why.

Moderators: admin, anatoly_LP, chantieLP, robyn, JoeSiegrist

OneLogin Password Manager, breached

Postby jkuehl298 » Thu Jun 01, 2017 2:57 pm

Starting to show-up more today, also on the leading headline of https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/ .

Perhaps it would be good for LastPass response or to address it. I would find it a useful to understand the size of LastPass vs. OneLogin, for instance how many paying users, how many Enterprise accounts, tenure of those paying accounts. Rough numbers, but still comparable, for Security Maintenance and proactive Security R&D investments.

Something that shows the difference in scales of the small-players to the big-players.
jkuehl298
 
Posts: 2
Joined: Fri May 26, 2017 5:53 pm

OneLogin Password Manager Breached

Postby jkuehl298 » Thu Jun 01, 2017 2:58 pm

Starting to show-up more today, also on the leading headline of https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/ .

Perhaps it would be good for LastPass response or to address it. I would find it a useful to understand the size of LastPass vs. OneLogin, for instance how many paying users, how many Enterprise accounts, tenure of those paying accounts. Rough numbers, but still comparable, for Security Maintenance and proactive Security R&D investments.

Something that shows the difference in scales of the small-players to the big-players.
jkuehl298
 
Posts: 2
Joined: Fri May 26, 2017 5:53 pm

Current Hack Data Breech At Competitor

Postby miown342 » Fri Jun 02, 2017 12:00 am

I have just read about the massive break-in to 'OneLogin' accounts, where the hackers were able to get decrypted passwords and full account information. They are also a single iog-in provider. Their public statement was: :?:

In the past 24 hours, OneLogin sent out the following notice about a security incident:

“On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.”

While no site can be stated as being 100% hack-proof, I would hope with this recent attack on OneLogin, that LastPass is making a review of their 'defense' mechanisms, against hackers.
miown342
 
Posts: 1
Joined: Thu Jun 01, 2017 11:48 pm

how secure is lastpass in relation to "other" managers?

Postby PK2MP7 » Fri Jun 02, 2017 1:42 am

ive been using lastpass without incidents..but reading article on a rival manager that was hacked and all data exposed, "onepass" made me think ..is LP secure enough? i already changed my MP to more than 16 characters long. was reading an article on steps to make your pass secure,
https://www.cnet.com/how-to/the-guide-t ... ould-care/

not all managers are 100% iron clad secure. ive got over 600 saved accts..thats a lot to keep track of! :geek:

*P.S. i saw recent post praising LP that is locked, how uncouth! :x :o :twisted:
PK2MP7
 
Posts: 6
Joined: Sat Jul 30, 2016 1:40 am

Re: OneLogin Password Manager Breached

Postby stimpy » Fri Jun 02, 2017 8:51 am

I would certainly like to know if the attack vector in play at OneLogin is relevant to LastPass, and if so what do I need to do to minimise my risk. If there is no comparable threat, tell us and tell us why.
stimpy
 
Posts: 1
Joined: Fri Jun 02, 2017 8:47 am

Re: OneLogin Password Manager Breached

Postby jonat » Fri Jun 02, 2017 4:39 pm

OneLogin is really a very different thing than LastPass. It isn't a password manager but rather something more along the lines of "Log in with Facebook", using the OAuth authorization system. This requires OneLogin to be able to "see" the individual service passwords. LastPass is a "zero knowledge" system where even if their servers were broached, at most an attacker could get is the "encrypted blob" - LastPass doesn't have your encryption key.
jonat
 
Posts: 2181
Joined: Thu Dec 09, 2010 8:42 pm


Return to Feedback

Who is online

Users browsing this forum: Bing [Bot] and 50 guests