The password manager service exposed the data due to a poorly configured online bucket
Abine, developer of Blur, the password management service, has recently launched a
security notice in which it reports that a file containing users’ sensitive data
was exposed due to an oversight, report cybersecurity specialists from the
International Institute of Cyber Security.
The exposed information would have been
identified on September 13th, after Abine found a file with email addresses,
information on the IP used by its clients to log into Blur, as well as
encrypted information related with users’ passwords. Apparently, this file has
been exposed since January 6th, 2018.
The main work of the Blur service is to ensure
and enhance the Internet privacy experience of its users, offering password
management services, as well as payment card, email addresses, and phone number
protection and masking. For its part, Abine is responsible for encrypting
passwords, using bcrypt and a single salt for each of its users. These unique
features are present in the company’s exposed file, instead of the real
passwords, according to experts in cybersecurity.
However, it is known that this user
password-related information could help an attacker gain access to any online
account protected by these services in the event that the user has linked those
services using the same email address. According to the security alert
published by Abine, until now there is no evidence that the sensitive data of
any user has been compromised.
“We believe that the data of our users remain
secured. There is no evidence suggesting that the data stored in Blur (protected
payment cards, email and phones) have been compromised,” mentions a post on the
Abine blog.
Cybersecurity experts point out that Abine has
not provided further details about the incident, such as the exact number of
victims or how the bucket was exposed in the first place. Early research
suggests that a misconfigured Amazon S3
bucket contained the exposed file, so data from about 2.4 million users would
have been exposed during the incident.
This incident represents a hard blow to Abine,
because password management services are considered more reliable to manage a
large number of access keys to different services without the need to memorize
different keys or establish a same password for every platform, running as an
additional security layer.
As a security measure, the company suggests its
users to enable two-factor authentication (2FA) and, if possible, reset all their
passwords.
