Page Loader
Popular password manager suffers data breach, leaks information of millions

Popular password manager suffers data breach, leaks information of millions

Jan 04, 2019
05:59 pm

What's the story

In a massive data breach, popular password manager Blur has compromised data of millions of users. The platform, owned and managed by Abine, left user data exposed on one of its servers, leaking names, emails, and hashed passwords. However, the company claims that usernames, passwords, and credit card details stored inside Blur accounts were not leaked. Here's more on the matter.

Issue

Critical file left openly accessible on server

On December 13, a security researcher alerted Blur about a file openly available on one of its servers. The company took the report into notice and conducted an internal audit, only to find that the file had made information of nearly 2.4 million Blur users freely accessible. It compromised details of users who had signed up for the password manager before January 2018.

Information leaked

Information leaked out by Blur

Just recently, Blur apologized about the issue and confirmed that emails and hashed passwords of nearly 2.4 million accounts involved in the breach were exposed. The last and second-to-last IP address used by these users to login into their Blur account may also have been leaked. Notably, some users' password hints and first and last names were also leaked in the breach.

Stored passwords

However, passwords stored inside accounts were not leaked

Blur compromised emails and hashed passwords but only for the main service. The company notes it didn't have access to 'critical unencrypted data' of the users and there's no evidence of its exposure. "There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed".

Information

Also, its DeleteMe service remains unaffected

Along with information stored within Blur accounts, the company also claims that its DeleteMe online privacy protection service wasn't affected from the breach and remains secure.

Recommendation

Still, you should change your passwords

In the wake of this incident, Abine has requested Blur users to change the passwords of their accounts and enable two-factor authentication. The company has also urged its users to change passwords for all other services that had the same email and password combination used for Blur. "This incident is embarrassing and frustrating," the company said while apologizing for the breach.