Educause Security Discussion mailing list archives
APB for OneLogin users (again)
From: Emily Harris <emharris () VASSAR EDU>
Date: Wed, 7 Jun 2017 16:22:23 -0400
I had a lot of off-list communication with some of you and they are pretty scattered among my email. I apologize for the broadcast note but wanted to get this information out ASAP. I talked to the OneLogin CISO and was told that users who have the password cache enabled (but are NOT using password management or password syncs) still have a risk of password theft. The hash lists were exposed, including the hash algorithm and salts. I am pushing back hard on them to reveal this to the public, and they are "considering" my request. Their current releases say there is no password risk except in the two instances noted above, so to me it seems like a big PR problem that they are not informing their customers. If anyone wants to discuss on a zoom meeting, I could set something up tomorrow. As a FYI I told the CISO that I would tell every OneLogin customer I could find so they are aware I'm notifying peer OneLogin customers. ---- Emily Harris, CISSP Information Security Officer, CIS Vassar College 845-437-7221
Current thread:
- APB for OneLogin users (again) Emily Harris (Jun 07)