The email recommends aggressive steps to protect accounts, including generating new keys, tokens and security certificates. Naturally, OneLogin also wants individual users to change their passwords. None of these are small feats if you’re a customer — effectively, you’re rebooting your entire sign-in infrastructure.
This doesn’t necessarily mean that you should stop using identity and login management services, or that every service will face a similar fate if there’s a hack. OneLogin notably keeps the decryption keys on its systems, while services like LastPass don’t. You may be hosed if you forget your master login for a site like LastPass, but you won’t have to worry so much if there’s a breach. Regardless of what you use, the incident is a reminder that you’re striking a balance: you’re trusting someone else with your data in return for greater convenience.