Abine’s Blur Password Manager, Latest Victim Of Data Breach
Password managers are heaven sent for many users, as it provides the convenience of having a secure password repository for managing multiple complex passwords. However, given that password managers contains passwords for many systems and web services, it is basically like placing all the eggs on one basket. Add an insecure online support to it, and that creates a recipe for disaster. Unfortunately, this disaster has come to pass with Blur Password manager system suffered a data breach last Dec 13, 2018.
“On Thursday, December 13th 2018, we became aware that some information about Blur users had been potentially exposed and immediately began working to ensure our systems and data were secure, to determine what happened, and to inform and help our users. We have also retained a leading security firm to assist us and have notified law enforcement officials,” explained Abine, the vendor that develops Blur Password Manager in their official blog page.
The user records that were breached contains the following information quoted directly from Abine:
- Each user’s email addresses
- Some users’ first and last names
- Some users’ password hints but only from our old MaskMe product
- Each user’s last and second-to-last IP addresses used to login to Blur
- Each user’s encrypted Blur password. These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords.
The initial investigation of the security breach disclosed that the hackers took advantage of a misconfigured Amazon S3 storage bucket, which Abine uses as a central storage system for syncing the password managers of their users. Approximately 24 million users are affected by the exposure, including their bi-encrypted and salted hashed passwords.
Abine has emphasized that there were no actual usernames and passwords of users were accessed by unauthorized parties. However, they strongly suggest that all their users change their usernames and passwords as a security precaution. Due to lack of technical know how to further probe the alleged misconfigured Amazon S3 bucket, the company hired a 3rd-party security consulting firm and contacted law enforcers to conduct a deeper investigation.
“Importantly, there is no evidence that our users’ most critical data has been exposed, and we believe it is secure. There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed. We remain committed to our mission of protecting your privacy and security. In particular we want to help you in a world where you can’t trust third parties with your unencrypted data. We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach,” emphasized Abine.