Popular password manager suffers data breach, leaks information of millions
What's the story
In a massive data breach, popular password manager Blur has compromised data of millions of users. The platform, owned and managed by Abine, left user data exposed on one of its servers, leaking names, emails, and hashed passwords. However, the company claims that usernames, passwords, and credit card details stored inside Blur accounts were not leaked. Here's more on the matter.
Issue
Critical file left openly accessible on server
On December 13, a security researcher alerted Blur about a file openly available on one of its servers. The company took the report into notice and conducted an internal audit, only to find that the file had made information of nearly 2.4 million Blur users freely accessible. It compromised details of users who had signed up for the password manager before January 2018.
Information leaked
Information leaked out by Blur
Just recently, Blur apologized about the issue and confirmed that emails and hashed passwords of nearly 2.4 million accounts involved in the breach were exposed. The last and second-to-last IP address used by these users to login into their Blur account may also have been leaked. Notably, some users' password hints and first and last names were also leaked in the breach.
Stored passwords
However, passwords stored inside accounts were not leaked
Blur compromised emails and hashed passwords but only for the main service. The company notes it didn't have access to 'critical unencrypted data' of the users and there's no evidence of its exposure. "There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed".
Information
Also, its DeleteMe service remains unaffected
Along with information stored within Blur accounts, the company also claims that its DeleteMe online privacy protection service wasn't affected from the breach and remains secure.
Recommendation
Still, you should change your passwords
In the wake of this incident, Abine has requested Blur users to change the passwords of their accounts and enable two-factor authentication. The company has also urged its users to change passwords for all other services that had the same email and password combination used for Blur. "This incident is embarrassing and frustrating," the company said while apologizing for the breach.