Jump to content

Our website is made possible by displaying online advertisements to our visitors.
Please consider supporting us by disabling your ad blocker.
  • Announcements

    • Dowin

      =ADK= Discord Link   04/24/2017

      Come join us in =ADK= Discord To download the Discord app go here: https://discordapp.com/   Discord is going to have a small learning curve over teamspeak so be prepared, but the fellow members as well as the Admins will gladly help you if you have any issues with installing or using the app. Once you have Discord installed all that's left to do is click the button below.   Welcome to the future of the =ADK= Community.   Click Here To Join! 
Sign in to follow this  

OneLogin Suffers Data Breach

Recommended Posts

Reported yesterday May 31st, 2017 in a blog post written on OneLogin by Chief Information Security Officer of OneLogin, Alvaro Hoyos; there has been a data breach to the US Operating Region. The public post is quite vague about how it actually happened although it does say "The threat actor was able to access database tables that contain information about users, apps, and various types of keys." Alvaro continued on to say that while the information is decrypted, the threat actor might have been able to gather information to decrypt the information. 

Also, there appears to be an article available only to OneLogin customers that stated the following information. Please keep in mind that we haven't been able to verify this information as we do not have a OneLogin account, but there have been multiple customers saying that THIS LINK is where you can find the below text. 



On Wednesday, May 31, 2017 we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data. We have since blocked this unauthorized access, reported the matter to law enforcement, and are working with an independent security firm to assess how the unauthorized access happened and to verify the extent of the impact. We want our customers to know that the trust they have placed in us is paramount, and we have therefore have created a set of required actions:
Passwords for accessing OneLogin should not be reset unless SSO Password is enabled.
Generate new certificates for your apps that use SAML SSO.
For information about generating new certificates, see Creating and Applying Certificates.
For information about providing the new certificate to the SAML app, see the app-specific documentation in the App Integration section.
Generate new API credentials and OAuth tokens.
For legacy API keys, see developers.onelogin.com/api-docs/v1-v3/getting-started/using-the-onelogin-api
For current API keys, see developers.onelogin.com/api-docs/1/getting-started/working-with-api-credentials
For refreshing OAuth tokens, see developers.onelogin.com/api-docs/1/oauth20-tokens/refresh-tokens
Generate new directory tokens.
Generate new Desktop SSO tokens and credentials.
If you replicate your directory password to provisioned applications (using the SSO Password feature), force a password reset for your users.
To confirm whether you provision the directory password to an app, go to the Parameters tab for that app and look for the Password parameter. If it is mapped to SSO Password, then you should force a password reset.
Recycle any secrets stored in Secure Notes.
See Secure Notes.
Update the credentials you use to authenticate to 3rd party apps for provisioning.
Some apps use OAuth, others use API keys. For information about the apps you use, view the provisioning doc for those apps in the App Integration section.
Update the admin-configured login credentials for apps that use form-based authentication.
See Adding a Form-Based Application.
Have your end-users update their passwords for the form-based authentication apps that they can edit, including personal apps.
See Changing Usernames and Passwords for Form-Based Apps.
Replace your RADIUS shared secrets.
See Configuring the RADIUS Server Interface.
If you have questions or need assistance please contact us at security-support@onelogin.com.






Now some of you might be familiar with CloudBleed from earlier this year, but this seems to be an even bigger issue than the CloudBleed ever was especially with how long the threat actor had access to the information before anything was updated to prevent this from occurring. 

As always, if you do have a OneLogin account, please make sure that you update all of your credentials and look at using another service for your password saving solutions. But this also brings up the question, is writing your passwords down on a piece of paper and storing it somewhere locked up safer than through an online password manager? 

Let us know your thoughts and if you were effected by this OneLogin Breach. 

View full article

Share this post

Link to post
Share on other sites

I don't use any password management besides the storage capacity in my head.  All my passwords are secure with Upper and lower case characters, numbers and symbols.  Every password is different and I do not use the same password for anything.  Honestly I do not trust clouds, online backup, or anything.  The old saying is if you can lock it someone can unlock it.  I like to have all my data available and within physical reach.  What happens when you use online backup and you loose internet or they go bankrupt?  You don't have access to your data and I am not ok with that.  Basically the cloud is just someone elses computer.  Just another name for a server.

Share this post

Link to post
Share on other sites

I work for a Cyber Security Firm and I can tell you from first-hand experience this is a huge deal! I personally use 1Password to store all my passwords, which are randomly generated. I used LastPass for a while but recently switched to 1Password 2 years ago. To me they are the most secure password protection vault on the market. When you create your encryption key, you keep the key. They do not keep the key. They recommend you print it and put it in a safe for safekeeping. If you try to log in your 1Password vault from an unauthorized device, you have to input your encryption key to allow access. It was recommended by our pentesters since it is encrypted with 256AES. (I mean if someone finally cracks AES the whole is in trouble)

Share this post

Link to post
Share on other sites

Security is a vicious circle. The easier you make tech usable (web based) the easier it is for a person to compromise it. yet the harder you make it the harder the average user can use it. 


There are a lot of people I wonder how they can even use their smart phones to call someone after some of the support tickets I have seen.. 

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.


Important Information

This website uses cookies to provide the best experience possible. Privacy Policy & Terms of Use