Latest in Gear

Image credit: weerapatkiatdumrong

Major identity manager breach exposes sensitive user info

The attackers even got the means to decrypt secure data.
744 Shares
Share
Tweet
Share
Save

Sponsored Links

weerapatkiatdumrong

Identity and password management services are, in theory, supposed to improve your security by promoting tough-to-guess passwords and otherwise keeping logins under lock and key. However, the concentration of high-value data also makes them a juicy target for hackers -- and OneLogin is finding that out the hard way. The business-centric identity management provider has warned users of a US server breach that compromised sensitive info. While OneLogin initially provided only a handful of details in a blog post, Motherboard learned that an email warned customers their info had been taken. Moreover, the attackers compromised the "ability to decrypt" data -- don't count on your login being safe just because there was encryption involved.

The email recommends aggressive steps to protect accounts, including generating new keys, tokens and security certificates. Naturally, OneLogin also wants individual users to change their passwords. None of these are small feats if you're a customer -- effectively, you're rebooting your entire sign-in infrastructure.

This doesn't necessarily mean that you should stop using identity and login management services, or that every service will face a similar fate if there's a hack. OneLogin notably keeps the decryption keys on its systems, while services like LastPass don't. You may be hosed if you forget your master login for a site like LastPass, but you won't have to worry so much if there's a breach. Regardless of what you use, the incident is a reminder that you're striking a balance: you're trusting someone else with your data in return for greater convenience.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
744 Shares
Share
Tweet
Share
Save

Popular on Engadget

Boeing doesn't expect the 737 Max to resume flying before mid-2020

Boeing doesn't expect the 737 Max to resume flying before mid-2020

View
Vodafone is the latest to leave Facebook's Libra Association

Vodafone is the latest to leave Facebook's Libra Association

View
HP's latest Chromebooks for schools include more durable keyboards

HP's latest Chromebooks for schools include more durable keyboards

View
Some Under Armour fitness devices lose their smarts on March 31st

Some Under Armour fitness devices lose their smarts on March 31st

View
Guardian: Saudi prince’s account used to hack Jeff Bezos via WhatsApp

Guardian: Saudi prince’s account used to hack Jeff Bezos via WhatsApp

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr