Slashdot Mirror
Opera Sync Users May Have Been Compromised In Server Breach (fortune.com)
An anonymous reader writes: Someone broke into Opera's servers. The Opera browser has a handy feature for synchronizing browsing data across different devices. Unfortunately, some of the passwords and login information used to enable the feature may have been stolen from Opera's servers. Opera's sync service is used by around 1.7 million people each month. Overall, the browser has 350 million users. The Norwegian firm told its users that someone had gained access to the Opera sync system, and "some of our sync users' passwords and account information, such as login names, may have been compromised." As a result, Opera had to reset all the passwords for the feature, meaning users will need to select new ones.
Did they break in by a security hole or did they used compromised credentials to break in? Any info on that matter?
Although I'm no fan of LastPass, at least the only thing you get with the sync is an encrypted blob; it means the attacker both has to compromise your account and then brute force your master password.
Firefox's sync is less secure than that, but it's encrypted on their servers and requires an email verification to use, so the attacker has to compromise both your Firefox account and then your email account.
I take it from TFA that Opera's sync database wasn't hashed, which is orders of magnitude worse than LastPass and Firefox. If anyone's still using Opera, this should be an alarm to switch to something else.
This is why I don't use password keepers, store my stuff in browsers, use Opera or Evernote to sync, Google drive...
Sooner or later they will ALL be breached; many already have been.
Then use a local password manager that doesn't connect to the Internet.
I store everything in KeePassX. To breach that, you'd have to be able to both keylog me and arbitrarily access the files on my drives.
Maybe this isn't the best moment to suggest that people route all their internet traffic through Opera's servers.
The opinions stated herein do not necessarily represent those of anybody at all. Deal with it.
This is why I don't use password keepers, store my stuff in browsers, use Opera or Evernote to sync, Google drive...
Sooner or later they will ALL be breached; many already have been.
Not that I am for or against password keepers, but isn't the actual password data itself separately encrypted and stored in an individually encrypted state? That is, not even the people who run the password-keeping service can decrypt the blob of data they store, since they don't store the information necessary to decrypt it. (Decrypting the passwords is done locally on your machine after you type in your pass-phrase.) So an attack that compromised a well-designed password-keeping service would only net the attacker a large number of individually encrypted data blobs, each of which has a separate pass-phrase and would have to be attacked separately.
I use a notebook, with ink on paper.
Do you keep the notebook in a safe? If not, I would venture to bet that a robber taking it is more likely than a hacker specifically targeting me and successfully nabbing my database and bruteforcing my master password.
Of course, you could mitigate that by enciphering your written-down passwords, but it's an awful lot of work and you're still more susceptible to a keylogger than I am (if somebody successfully keylogged me, they'd get my master password, but that by itself is useless since I copy+paste all of my logins; they'd also need to grab my keyfile and database somehow).
https://youtu.be/3NjQ9b3pgIg?t...
I think they both use the Opera Sink backstage...
It doesn't "route all your Internet traffic", just connections made through Opera itself. I only use it to access geolocked sites and download sites like Mega, so I don't have to wait for downloading multiple files.
They are encrypted.
http://www.opera.com/blogs/sec...