Data of 2.4 million Blur password manager users left exposed online

Company says data breach didn't expose any actual passwords stored inside users' Blur accounts.

Who are the worst password offenders of 2018? Here's the list Some of the biggest names in politics and tech are responsible for this year's worst security gaffes. Read more: https://zd.net/2RZfAMf

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet has learned.

The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email.

The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog.

According to Abine, the file that was left freely accessible online contained various details about Blur users who registered before January 6, 2018. Exposed information included:

  • Each user's email addresses
  • Some users' first and last names
  • Some users' password hints but only from our old MaskMe product
  • Each user's last and second-to-last IP addresses used to login to Blur
  • Each user's encrypted Blur password. These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords.

The company stressed that no passwords stored inside users' Blur accounts were exposed.

"We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach," said Abine.

"There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed," the company added.

No data was exposed from the company's DeleteMe service.

Abine is now urging users to change their Blur master password and enable two-factor authentication for their account.

"As a privacy and security focused company this incident is embarrassing and frustrating," Abine said. "These incidents should not happen and we let our users down."

More data breach coverage: