The gang over at WordFence have put together an excellent and to-the-point summary of what happened at OneLogin, why the company deserves untold amounts of scorn for how they handle user data, and what you need to do right now if you are a subscriber. The money quote:
On Wednesday, May 31, 2017, we detected that there was unauthorized access to OneLogin data in our US data region. All customers served by our US data center are affected; customer data was compromised, including the ability to decrypt encrypted data.
Note the bold text: including the ability to decrypt encrypted data. This means that OneLogin is violating virtually every tenet of best practises when it comes to data management, including the number one rule of cloud security: The vendor should never, ever, ever have the ability to decrypt user data. Period. Full stop. End of story. Compare this to legitimate cloud services like Dropbox and iCloud where the vendor has no ability to unscramble your data under any circumstances, and have gone so far as to stand up in court for the absolute need to do so on behalf of customer security. OneLogin’s cavalier and reckless attitude towards user security means each and every one of their subscibers needs to take a long hard look at why they use OneLogin and ask themselves whether they should continue to do so. I would venture in the vast majority of cases the answer should now be “hell, no”.
Click here to read the full article and get yourself squared away in case this affect you. Now.