Slashdot Mirror

← Back to Stories (view on slashdot.org)

Opera Sync Users May Have Been Compromised In Server Breach (fortune.com)

Posted by msmash on from the security-woes dept.

An anonymous reader writes: Someone broke into Opera's servers. The Opera browser has a handy feature for synchronizing browsing data across different devices. Unfortunately, some of the passwords and login information used to enable the feature may have been stolen from Opera's servers. Opera's sync service is used by around 1.7 million people each month. Overall, the browser has 350 million users. The Norwegian firm told its users that someone had gained access to the Opera sync system, and "some of our sync users' passwords and account information, such as login names, may have been compromised." As a result, Opera had to reset all the passwords for the feature, meaning users will need to select new ones.

26 comments

  1. How was it compromised by hyperar · · Score: 3, Interesting

    Did they break in by a security hole or did they used compromised credentials to break in? Any info on that matter?

    1. Re:How was it compromised by sirber · · Score: 1

      I heard the hackers were chinese ;-)

      --
      Be or ben't
    2. Re:How was it compromised by Anonymous Coward · · Score: 1

      Did they break in by a security hole or did they used compromised credentials to break in? Any info on that matter?

      I know that it was possible in the first place because this "sync" ever used remote servers.

      I have no use for sync functions - I rather like keeping things separate. But if I wanted to sync, it would mean syncing a mobile device that I control (i.e. have rooted) with a PC that I also control (running a FOSS OS). Why the hell would I want to involve any third-party servers for such a simple transfer of data? It's just asking for trouble.

      Anyone who wants "the cloud" can keep it. It's a hell of a lot harder to individually compromise a large number of decentralized nodes, than one big tempting juicy server.

  2. Try the "VPN' feature by Anonymous Coward · · Score: 0

    Opera now includes a great proxy feature (labeled "VPN") with apparently no download limits. I streamed the Canadian broadcast of the olympics thanks to it.

    1. Re:Try the "VPN' feature by Sneftel · · Score: 3, Funny

      Maybe this isn't the best moment to suggest that people route all their internet traffic through Opera's servers.

      --
      The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
    2. Re:Try the "VPN' feature by teodorom · · Score: 1

      It doesn't "route all your Internet traffic", just connections made through Opera itself. I only use it to access geolocked sites and download sites like Mega, so I don't have to wait for downloading multiple files.

  3. Opera was bought by a Chinese company by Anonymous Coward · · Score: 0

    All Opera users have been compromised since then.

  4. Dumb by LichtSpektren · · Score: 2

    Although I'm no fan of LastPass, at least the only thing you get with the sync is an encrypted blob; it means the attacker both has to compromise your account and then brute force your master password.

    Firefox's sync is less secure than that, but it's encrypted on their servers and requires an email verification to use, so the attacker has to compromise both your Firefox account and then your email account.

    I take it from TFA that Opera's sync database wasn't hashed, which is orders of magnitude worse than LastPass and Firefox. If anyone's still using Opera, this should be an alarm to switch to something else.

    1. Re:Dumb by Anonymous Coward · · Score: 0

      Unless there is a bug which allows the passwords to be extracted...
      https://labs.detectify.com/2016/07/27/how-i-made-lastpass-give-me-all-your-passwords/

    2. Re:Dumb by XXongo · · Score: 1

      Unless there is a bug which allows the passwords to be extracted... https://labs.detectify.com/201...

      Good to know, but I do point out that the first line of that link says "Note: This issue has already been resolved and pushed to the Lastpass users."

      I hope that they told users to change their saved passwords, though.

    3. Re:Dumb by Anonymous Coward · · Score: 0

      If anyone's still using Opera, this should be an alarm to switch to something else.

      Or just not use their Sync service. They have a great browser, but it seems they're lagging behind security wise on their sync services.
      Disclaimer: I use opera as my main browser.

    4. Re:Dumb by Anonymous Coward · · Score: 0

      The previous Firefox Sync protocol was more secure, blame the UX people.

  5. 350 by Anonymous Coward · · Score: 0

    Haha. Sounds true, like my ass smells good.

  6. You can have convenience, or security, not both... by Bearhouse · · Score: 2

    This is why I don't use password keepers, store my stuff in browsers, use Opera or Evernote to sync, Google drive...

    Sooner or later they will ALL be breached; many already have been.

  7. Unbelievably stupid and naive by Anonymous Coward · · Score: 0

    Who stores their browsing history somewhere they can't control access to it?

    suckers, that's who.

  8. Re:You can have convenience, or security, not both by LichtSpektren · · Score: 1

    Then use a local password manager that doesn't connect to the Internet.

    I store everything in KeePassX. To breach that, you'd have to be able to both keylog me and arbitrarily access the files on my drives.

  9. Re:You can have convenience, or security, not both by Anonymous Coward · · Score: 0

    I use a notebook, with ink on paper.

  10. Re:You can have convenience, or security, not both by Anonymous Coward · · Score: 0

    I make it simple to remember - all my passwords are "password1". It is so obvious no-one will ever guess it!

  11. Signing up for online services is risky by Anonymous Coward · · Score: 0

    I don't use many services that make me sign up. As soon as you give them your name, password, and info, they lose it. Mostly because they don't care - security costs money and there isn't any penalties for being hacked.

  12. Re:You can have convenience, or security, not both by mjew · · Score: 1

    This is why I don't use password keepers, store my stuff in browsers, use Opera or Evernote to sync, Google drive...

    Sooner or later they will ALL be breached; many already have been.

    Not that I am for or against password keepers, but isn't the actual password data itself separately encrypted and stored in an individually encrypted state? That is, not even the people who run the password-keeping service can decrypt the blob of data they store, since they don't store the information necessary to decrypt it. (Decrypting the passwords is done locally on your machine after you type in your pass-phrase.) So an attack that compromised a well-designed password-keeping service would only net the attacker a large number of individually encrypted data blobs, each of which has a separate pass-phrase and would have to be attacked separately.

  13. Re:You can have convenience, or security, not both by LichtSpektren · · Score: 1

    I use a notebook, with ink on paper.

    Do you keep the notebook in a safe? If not, I would venture to bet that a robber taking it is more likely than a hacker specifically targeting me and successfully nabbing my database and bruteforcing my master password.

    Of course, you could mitigate that by enciphering your written-down passwords, but it's an awful lot of work and you're still more susceptible to a keylogger than I am (if somebody successfully keylogged me, they'd get my master password, but that by itself is useless since I copy+paste all of my logins; they'd also need to grab my keyfile and database somehow).

  14. Re:You can have convenience, or security, not both by Hardness · · Score: 1

    https://youtu.be/3NjQ9b3pgIg?t...

  15. Re:You can have convenience, or security, not both by Anonymous Coward · · Score: 0

    And if they can keylog me, I am already owned as to passwords I type on the machine.
    Personally, I also only use Keepassx on my own machines, never at work or on friends computers.

  16. Oh no ! Warn Carman and Rigoletto !! by Bob_Who · · Score: 1

    I think they both use the Opera Sink backstage...

  17. A pity by Anonymous Coward · · Score: 0

    I was rather attached to my "figaro" password.

  18. Passwords not at risk by UpnAtom · · Score: 1

    They are encrypted.

    http://www.opera.com/blogs/sec...