Major identity manager breach exposes sensitive user info
The attackers even got the means to decrypt secure data.
Identity and password management services are, in theory, supposed to improve your security by promoting tough-to-guess passwords and otherwise keeping logins under lock and key. However, the concentration of high-value data also makes them a juicy target for hackers -- and OneLogin is finding that out the hard way. The business-centric identity management provider has warned users of a US server breach that compromised sensitive info. While OneLogin initially provided only a handful of details in a blog post, Motherboard learned that an email warned customers their info had been taken. Moreover, the attackers compromised the "ability to decrypt" data -- don't count on your login being safe just because there was encryption involved.
The email recommends aggressive steps to protect accounts, including generating new keys, tokens and security certificates. Naturally, OneLogin also wants individual users to change their passwords. None of these are small feats if you're a customer -- effectively, you're rebooting your entire sign-in infrastructure.
This doesn't necessarily mean that you should stop using identity and login management services, or that every service will face a similar fate if there's a hack. OneLogin notably keeps the decryption keys on its systems, while services like LastPass don't. You may be hosed if you forget your master login for a site like LastPass, but you won't have to worry so much if there's a breach. Regardless of what you use, the incident is a reminder that you're striking a balance: you're trusting someone else with your data in return for greater convenience.