Delicate User Data Exposed in OneLogin Breach

Delicate User Data Exposed in OneLogin Breach

The convenience of single sign-on services is undeniable.  Pretty much every useful website or app requires a password these days, and keeping all of those credentials straight can be both frustrating and insecure.  We all have our system.  Post-It notes on a computer monitor, excel spreadsheets, or notepads stuffed not that far back into a desk are all more common than we’d like to imagine.

Single sign-on services cut through all of that by storing and remembering your passwords for you.  When you get to a protected site, the service fills in your credentials automatically, offering a seamless user experience.

But then the question becomes:  how does the single sign-on service secure all of that information?  How well is it protected?

Earlier this week, leading single sign-on provider OneLogin offered a sobering answer.  OneLogin operates as a cloud service, storing the user’s passwords and credential information on remote servers.  At a certain point in the password storage process, OneLogin left storage files unencrypted.  That was a green light for hackers, which used confidential information from inside the company to locate and compromise these unencrypted files.

This is a major breach for OneLogin’s customers.  The passwords OneLogin keeps on its servers are the gateway into every protected website or app for thousands of companies and over twelve million users.  The multiplier effect is huge.  OneLogin is still investigating the extent of the breach, but it knows for sure that its systems were compromised from at least June 2 to August 25 of this year.

The clean-up process is underway, but it won’t be easy.  Hundreds of millions of passwords are going to have to be changed as a result of the breach.  OneLogin is trying to sort through which passwords it will have users change, and which ones were unaffected.

Is this a stake in the heart of single sign-on?  Probably not.  Password managers are here to stay, and are still more secure in most circumstances than a Post-It.  At the same time, I.T. managers around the world are taking a close look at the security of their single sign-on solutions, particularly those that reside in the cloud.

How does the cybersecurity of your single sign-on solution measure up?  ECHO’s expert engineers can evaluate your system and provide an assessment. Contact us to arrange a consultation.