2 min Security

Password manager leaks data to millions of users after wrong cloud configuration

Password manager leaks data to millions of users after wrong cloud configuration

Abine, the company behind Blur’s password manager and DeleteMe’s online privacy protection service, has revealed a data breach that has an impact on nearly 2.4 million users of the password manager. That’s what ZDNet reports. The data of these users was published online due to incorrect configuration of an AWS instance, Silicon Angle knows.

The problem was discovered on 13 December 2018 when a security researcher contacted the company. The researcher had found a server with a file containing sensitive information about Blur users. The problem was investigated internally to see how big it was. That research was carried out last week and the problem has now been made public.

Abine says that the file that was available online contained several details about Blur users who signed up before January 6, 2018. This includes e-mail addresses, names and the last IP address from which the user logged in. There are also hints for some users’ passwords, but they only come from the company’s old MaskMe product.

You can also see Blur’s encrypted password for users. “These encrypted passwords are encrypted and hashed before being sent to our servers and then encrypted via bcrypt with a unique salt for each user. The output of this process for these users may have been leaked, but not the actual passwords,” says the company.

No passwords leaked

Passwords in the accounts have not been leaked. “There is no evidence that the usernames and passwords stored by our users in Blur have been leaked,” says the company. This also applies to automatically entered credit card details, ‘Masked Emails’, ‘Masked telephone numbers’ and ‘Masked Credit Card details’. Furthermore, no data from the company’s DeleteMe service has been leaked.

Abine advises users to change their password for Blur and enable two-step verification. “As a privacy and security company, this incident is embarrassing and frustrating,” said Abine. “These incidents must not occur and we have disappointed our users.”

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.