Data of 2.4 million Blur password manager users left exposed online

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet has learned.

The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email.

The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog.

According to Abine, the file that was left freely accessible online contained various details about Blur users who registered before January 6, 2018. Exposed information included:

• Each user's email addresses
• Some users' first and last names
• Some users' password hints but only from our old MaskMe product
• Each user's last and second-to-last IP addresses used to login to Blur
• Each user's encrypted Blur password. These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords.

The company stressed that no passwords stored inside users' Blur accounts were exposed.

"We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach," said Abine.

"There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed," the company added.

No data was exposed from the company's DeleteMe service.

Abine is now urging users to change their Blur master password and enable two-factor authentication for their account.

"As a privacy and security focused company this incident is embarrassing and frustrating," Abine said. "These incidents should not happen and we let our users down."

These are the worst hacks, cyberattacks, and data breaches of 2018

More data breach coverage:

• Hackers steal personal info of 1,000 North Korean defectors
• Caribou Coffee chain announces card breach impacting 239 stores
• Twitter discloses suspected state-sponsored attack
• Facebook bug exposed private photos of 6.8 million users
  
• Nokia denies leaking internal credentials in server snafu
• Hacker steals 10 years worth of data from San Diego school district
• Firefox warns if the website you're visiting suffered a data breach CNET
  
• Marriott reveals data breach affecting 500 million hotel guests TechRepublic