APB for OneLogin users (again)

[Emily Harris <emharris () VASSAR EDU>]

I had a lot of off-list communication with some of you and they are pretty
scattered among my email.  I apologize for the broadcast note but wanted to
get this information out ASAP.

I talked to the OneLogin CISO and was told that users who have the password
cache enabled (but are NOT using password management or password syncs)
still have a risk of password theft.  The hash lists were exposed,
including the hash algorithm and salts.  I am pushing back hard on them to
reveal this to the public, and they are "considering" my request.  Their
current releases say there is no password risk except in the two instances
noted above, so to me it seems like a big PR problem that they are not
informing their customers.

If anyone wants to discuss on a zoom meeting, I could set something up
tomorrow.

As a FYI I told the CISO that I would tell every OneLogin customer I could
find so they are aware I'm notifying peer OneLogin customers.



----
Emily Harris, CISSP
Information Security Officer, CIS
Vassar College
845-437-7221