Page 1 of 1

OneLogin Password Manager, breached

PostPosted: Thu Jun 01, 2017 2:57 pm
by jkuehl298
Starting to show-up more today, also on the leading headline of https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/ .

Perhaps it would be good for LastPass response or to address it. I would find it a useful to understand the size of LastPass vs. OneLogin, for instance how many paying users, how many Enterprise accounts, tenure of those paying accounts. Rough numbers, but still comparable, for Security Maintenance and proactive Security R&D investments.

Something that shows the difference in scales of the small-players to the big-players.

OneLogin Password Manager Breached

PostPosted: Thu Jun 01, 2017 2:58 pm
by jkuehl298
Starting to show-up more today, also on the leading headline of https://krebsonsecurity.com/2017/06/onelogin-breach-exposed-ability-to-decrypt-data/ .

Perhaps it would be good for LastPass response or to address it. I would find it a useful to understand the size of LastPass vs. OneLogin, for instance how many paying users, how many Enterprise accounts, tenure of those paying accounts. Rough numbers, but still comparable, for Security Maintenance and proactive Security R&D investments.

Something that shows the difference in scales of the small-players to the big-players.

Current Hack Data Breech At Competitor

PostPosted: Fri Jun 02, 2017 12:00 am
by miown342
I have just read about the massive break-in to 'OneLogin' accounts, where the hackers were able to get decrypted passwords and full account information. They are also a single iog-in provider. Their public statement was: :?:

In the past 24 hours, OneLogin sent out the following notice about a security incident:

“On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore created a set of required actions.”

While no site can be stated as being 100% hack-proof, I would hope with this recent attack on OneLogin, that LastPass is making a review of their 'defense' mechanisms, against hackers.

how secure is lastpass in relation to "other" managers?

PostPosted: Fri Jun 02, 2017 1:42 am
by PK2MP7
ive been using lastpass without incidents..but reading article on a rival manager that was hacked and all data exposed, "onepass" made me think ..is LP secure enough? i already changed my MP to more than 16 characters long. was reading an article on steps to make your pass secure,
https://www.cnet.com/how-to/the-guide-t ... ould-care/

not all managers are 100% iron clad secure. ive got over 600 saved accts..thats a lot to keep track of! :geek:

*P.S. i saw recent post praising LP that is locked, how uncouth! :x :o :twisted:

Re: OneLogin Password Manager Breached

PostPosted: Fri Jun 02, 2017 8:51 am
by stimpy
I would certainly like to know if the attack vector in play at OneLogin is relevant to LastPass, and if so what do I need to do to minimise my risk. If there is no comparable threat, tell us and tell us why.

Re: OneLogin Password Manager Breached

PostPosted: Fri Jun 02, 2017 4:39 pm
by jonat
OneLogin is really a very different thing than LastPass. It isn't a password manager but rather something more along the lines of "Log in with Facebook", using the OAuth authorization system. This requires OneLogin to be able to "see" the individual service passwords. LastPass is a "zero knowledge" system where even if their servers were broached, at most an attacker could get is the "encrypted blob" - LastPass doesn't have your encryption key.