Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data of 2.4 Million Blur Password Manager Users Left Exposed Online (zdnet.com)

Posted by msmash on from the security-woes dept.

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet reports. From the report: The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email. The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog. The data that was available on the web included each user's email addresses, some users' first and last names, some users' password hints but only from our old MaskMe product, and each user's encrypted Blur password.

1 of 60 comments (clear)

  1. Re:Ouch by ctilsie242 · · Score: 3, Interesting

    I like using multiple PW managers:

    1: For the average website, I use LastPass. It is good enough, and actually has been hacked before, with the attacks mitigated by the fact that the data is never available unencrypted on their site. It has MFA, so an attacker would have to compromise a smartphone, and know my PW to get in. I always have MFA on, so even if LastPass is compromised, the attacks will

    2: For my 2FA seeds, I use a program like enPass, or Codebook. mSecure, and 1Password are others, but mSecure and 1Password require a subscription and/or accounts with the respective companies, while enPass and Codebook, you pay for once, and you don't have to give them any personal details. These get synced with Dropbox or Google Drive, so an attacker would have to compromise that account (which is 2FA protected), then figure out the 64+ character password used for the data. Not impossible, but good enough. I use multiple programs, as enPass and Codebook allow exporting the seeds to plaintext as well as syncing.

    I will also mention SafeInCloud as well, where it costs just one fee, and that's it.

    3: For stuff that actually has to be secure and doesn't go to the cloud, I use KeePass with a passphrase and a keyfile. The keyfile is stored on an encrypted USB drive, and never leaves that. For an attacker to obtain the KeePass data, they would have to have physical access, find the dongle, guess the 16 digit PIN in less than ten tries (as the USB drive erases itself after the tenth attempt), and guess the password. Again, it can be done, but it is a good defense against most things.