[jeffnolan]

it's a semantic argument. You are not storing passwords in an SSO service, but it is passing tokens to authenticate access based on the asserting/relying relationship between IdP and app. The reason I say it is semantic is that while you are not storing passwords, you are sitting on a trove of access credentials. What is different about an SSO app that is of huge value is that cutting off access is not a function of changing passwords at the app level.

I think we agree on all the major points here, but I would not diminish the significance based on the fact that OneLogin is not a password vault.

[EduardoBautista]

OneLogin also stores passwords like 1Password. I used to work there.

[manigandham]

It's a purely informational comment about what the service is, not about the significance of the security breach.

Any identity related service, especially one that also includes password manager and desktop login functionality along with secure notes, etc. being involved in something like this is a major issue. We were looking at using them but have decided to stick with Google instead.