Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data of 2.4 Million Blur Password Manager Users Left Exposed Online (zdnet.com)

Posted by msmash on from the security-woes dept.

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet reports. From the report: The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email. The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog. The data that was available on the web included each user's email addresses, some users' first and last names, some users' password hints but only from our old MaskMe product, and each user's encrypted Blur password.

38 of 60 comments (clear)

  1. Ouch by b0bby · · Score: 4, Insightful

    Every time I see a breach like this, it makes me glad I'm still using KeePass. The ease of use of LastPass is tempting, but these kinds of services are a very large target.

    1. Re:Ouch by b0s0z0ku · · Score: 4, Informative

      Not all password managers require "sharing data." Keepass is cloudfree.

    2. Re:Ouch by Anonymous Coward · · Score: 1

      Every time I see a breach like this, it makes me glad

      ... that I don't use most forms of online service, because a) I refuse to give someone my information like that, and b) I assume the people who run these services are drooling idiots and greedy assholes who don't know or care about security.

      I've pretty much reached the point where if it's an on-line service and wants my information, I won't use it.

      The ad revenue of someone who isn't qualified to safeguard my data isn't my problem, and not using these things has never made me feel like I'm missing out on anything.

      I find it just saves time to assume they're incompetent, and not use their damn shit. It saves time, and in the end it's usually a safe bet.

    3. Re:Ouch by DontBeAMoran · · Score: 1

      Too bad all those passwords take so much space in your memory that you forgot the difference between "an extra step" and "and extra step".

      --
      #DeleteFacebook
    4. Re:Ouch by paulxb · · Score: 2

      https://bitwarden.com/ is the same as LastPass but you can host it yourself.

    5. Re:Ouch by ctilsie242 · · Score: 3, Interesting

      I like using multiple PW managers:

      1: For the average website, I use LastPass. It is good enough, and actually has been hacked before, with the attacks mitigated by the fact that the data is never available unencrypted on their site. It has MFA, so an attacker would have to compromise a smartphone, and know my PW to get in. I always have MFA on, so even if LastPass is compromised, the attacks will

      2: For my 2FA seeds, I use a program like enPass, or Codebook. mSecure, and 1Password are others, but mSecure and 1Password require a subscription and/or accounts with the respective companies, while enPass and Codebook, you pay for once, and you don't have to give them any personal details. These get synced with Dropbox or Google Drive, so an attacker would have to compromise that account (which is 2FA protected), then figure out the 64+ character password used for the data. Not impossible, but good enough. I use multiple programs, as enPass and Codebook allow exporting the seeds to plaintext as well as syncing.

      I will also mention SafeInCloud as well, where it costs just one fee, and that's it.

      3: For stuff that actually has to be secure and doesn't go to the cloud, I use KeePass with a passphrase and a keyfile. The keyfile is stored on an encrypted USB drive, and never leaves that. For an attacker to obtain the KeePass data, they would have to have physical access, find the dongle, guess the 16 digit PIN in less than ten tries (as the USB drive erases itself after the tenth attempt), and guess the password. Again, it can be done, but it is a good defense against most things.

    6. Re:Ouch by Anubis+IV · · Score: 1

      1Password doesn't require a subscription or an account. While the company is definitely pushing customers that direction, they haven't stopped selling one-off licenses for the latest versions of their apps. About the only major features that non-subscribers are missing are the ability to sync via 1Password's cloud service and the ability to manage vaults for teams/families. They still have locally-stored vaults with the option to manually sync via Wi-Fi or automatically sync via Dropbox/iCloud.

    7. Re:Ouch by ctilsie242 · · Score: 1

      That is good. When AgileBits came out with a version forcing people to their cloud, I dropped them like a hot rock. I used to swear by them before they did that one.

    8. Re:Ouch by ctilsie242 · · Score: 1

      Where do you strengthen the links in your chain?

      I find that password breaches normally happen at the provider's side, either brute forced, or someone haxxors their database and they have now a list of passwords that are in use. By moving to a PW manager and using 30 characters of randomly generated stuff, different for each site, a compromise at foo.com won't affect any of my other accounts.

      Another method you could use that doesn't require a password manager is to take the hostname of a site, HMAC it with your master password, and use the output for your password. For example, echo -n "foo.com" | openssl dgst -sha1 -hmac "hunter2"

      For password managers, 2FA does the job for most sites.

    9. Re:Ouch by fatalcharade · · Score: 1

      RoboForm > Keepass.....

  2. You had ONE job by OakDragon · · Score: 1

    It's one thing when some hotel reservation site does an oopsie with your passwords. This is another level.

    --
    Dark Reflection
    1. Re:You had ONE job by thewolfkin · · Score: 1

      In my government IT job in Palo Alto, we don't use passwords anymore. We have moved to USB-C authentication with certificates. -- Rocketman - Star Trek 2: The Wrath of Khan - William Shatner Trailer

      And in that context it makes sense. It makes less sense for say an average user.

      --
      Just another second banana
  3. Re:In further news, charges are being prepared by Oswald+McWeany · · Score: 3, Insightful

    We expect to see charges brought against all executive level officers at Abine and class actions are already in the works. Prosecutors have asked the judge to prevent any sale of stock by executives and they are not permitted to leave the country.

    Meh- just don't use the company and let it die. Punish them with your wallet. I don't want incompetence to be considered a crime in most cases. Everyone has a moment of incompetence.

    --
    "That's the way to do it" - Punch
  4. Re:In further news, charges are being prepared by DarkRookie2 · · Score: 1

    They will at best pay only a pittance.
    When have these ever really have an effect on a company for long.

    --
    http://progressquest.com/spoltog.php?name=Son+Of+Son+Of+DarkRookie
  5. darwin by clangerbanger · · Score: 1

    in action.

  6. Blurred minds by b0s0z0ku · · Score: 1

    Anyone who uses a "clown" based product to store sensitive passwords must have a blurred mind. Password managers should be local only. If they need to "stink" with other devices, they can do so locally via WiFi, not "stink" via some random corepiration's "clown."

    1. Re:Blurred minds by ctilsie242 · · Score: 1

      The ironic thing is that password managers can be made secure:

      1: Use a DB format that stores a master encryption key... which is then has multiple entries that are public key encrypted, so any device with its private key can unlock the master key and decode things.
      2: Each endpoint generates and uses its own public/private keypair. When one adds another machine (computer, phone, tablet), it is "introduced" to it by another device adding the new device to the list.
      3: Recovery can be done by adding a recovery password to the list.
      4: Backups of the DB can be made using GPG, with the backup exported, encrypted to the devices' public keys.

      This way, the DB can be stored on a cloud provider, or even an open S3 bucket. All an attacker will see is a master database, then figure out that the master key can be decoded by a list of public keys. Since there is no password available, brute forcing is not doable.

    2. Re:Blurred minds by Ksevio · · Score: 1

      Did you have a stroke or something? Seems you're forgotten how to spell common words.

      Anyways, your idea sounds great for someone that never uses devices outside of their home!

  7. At least the passwords are stored well by drinkypoo · · Score: 2

    The company stressed that no passwords stored inside users' Blur accounts were exposed.

    "We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach," said Abine.

    So they may be big screwups, but they're not colossal screwups.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    1. Re: At least the passwords are stored well by thewolfkin · · Score: 1

      Did you even read your own quote? It seems to imply that the real sensitive data is unencrypted!

      No i think the point was they only have access to the encrypted username and passwords and that they don't have access to the unencrypted usernames and passwords. So it's oddly written but it might be implying the opposite.

      --
      Just another second banana
  8. Re: In further news, charges are being prepared by richy+freeway · · Score: 1

    For $50 a month I'd EXPECT a free phone upgrade every couple of years.

    £10 a month for SIM only. Unlimited SMS, calls and 4GB data. Cancel any time I want with no penalty and move my number to whatever provider I want and they HAVE to give me the PAC to transfer the number within 2 hours.

    Boggles my mind how hard you get shafted in the US for cellular service.

  9. And nothing much will happen by OneHundredAndTen · · Score: 4, Insightful

    We keep hearing about similar breaches, over and over again, and nothing much ever happens. It seems to be the case that it is actually cheaper for companies to do damage control than to take the necessary security measures to prevent such breaches in the first place. I am sure that a few heads rolled in Equifax after their breach a few years ago - but Equifax is still there, doing what it has always done. They sure took a hit - but they probably calculated that dealing with such hits is cheaper and simpler than implement an effective security policy. No wonder most companies pay lip service to security: they all claim it is very important, but they do less than as little as possible. Until such breaches have a significant impact on their bottom line, things will not change.

  10. What password manager does everyone recommend? by Futurepower(R) · · Score: 2

    Please recommend a password manager.

    I wish open-source programmers would be more careful about choosing names. Keepass sounds like "Keep Ass".

    Information about Keepass: KeePass Password Safe

    Does Keepass synchronize across devices?

    1. Re:What password manager does everyone recommend? by Anonymous Coward · · Score: 2, Informative

      I use Password Store, or just "pass" for short.

      Completely free, no cloud, no GUI. Passwords are stored locally and are encrypted with GnuPG, so you can choose your own cipher and strength instead of trusting someone else's defaults. Passwords can be copied to clipboard with the '-c' argument. It even can integrate with git so you can keep your passwords managed in a version control.

      https://www.passwordstore.org/

      Whenever I need to access my passwords remotely, I just use SSH. Easy enough.

    2. Re:What password manager does everyone recommend? by higuita · · Score: 1

      + 1 for this one

      It works very well, it is simple, you can push it to git and even share with others (recommended different password stores for personal and shared passwords, of course, so you share only the correct one)

      --
      Higuita
    3. Re:What password manager does everyone recommend? by higuita · · Score: 2

      i also use password hasher plus for sites, to generate random passwords/key based on a master password and site info ... you only need to backup the password/key to restore the passwords

      --
      Higuita
    4. Re:What password manager does everyone recommend? by Average · · Score: 1

      +1 for 'pass' (also sometimes referred to as "zx2c4 pass").

      Version controlled password vault is great.

      I use 'passmenu' as an extension. Emulates a keyboard, so it doesn't wipe out my copy/paste buffer.

      It's all GnuPG and Bash underneath. And I use a YubiKey to hold my GnuPG private key (and also my SSH private key, which I use to pull from Git, where I have the password vault archived).

      Also works pretty well in a team mode, at least to a certain scale. My work team (4 people) has a 'pass' vault together. All the secrets are thus GPG encrypted with all of our public keys. There's also support for Ansible to retrieve passwords from the passwordstore.

    5. Re:What password manager does everyone recommend? by Darinbob · · Score: 1

      Well, I wouldn't trust anything that's in the cloud.

    6. Re:What password manager does everyone recommend? by brunes69 · · Score: 1

      KeePass is simply a spec and standard for a password vault, with many many software implementations. A lot of those implementations support synching your wallet to either public or private clouds.

      The way I use KeePass is I keep my wallet synched to my Google Drive account, which is in turn of course protected by 2FA.

      I can then load said wallet on Android, IOS, in my browser, and via local apps in OSX and Windows, because all of these platforms have KeePass apps that support Google Drive sync. Don't like Google? You can also use DropBox, Box, or use your own private server if you want.... this is what is great about KeePass, do what you want.

      In the very, very unlikely scenario that Google's security is compromised (they are one of the few companies on the planet I somewhat implicitly trust WRT security), then I can still be assured in the security of my wallet which is cryptographically proven and audited.

      I feel a lot safer with this then relying on a company like KeePass which has nowhere near the resources Google has.

  11. Re: In further news, charges are being prepared by reanjr · · Score: 1

    And how much is additional data? That's pretty important. I pay $50/mo. for unlimited call/text and 15GiB of data. So can you get an additional 11GiB for under $40?

  12. Next: Blur users targeted by Phishing scams by n2hightech · · Score: 1

    Ok so only your email name and password hints were lost. All the bad guys need to send out a barrage of very convincing targeted phishing emails asking users to update their master passwords. As soon as they fall for this all their accounts are toast.

    1. Re:Next: Blur users targeted by Phishing scams by thewolfkin · · Score: 1

      Ok so only your email name and password hints were lost. All the bad guys need to send out a barrage of very convincing targeted phishing emails asking users to update their master passwords. As soon as they fall for this all their accounts are toast.

      honestly having a password hint compromised is a fairly big deal. a) people suck a hints "Password is my name backwards with a 3" and b) yeah you can use those hints to create more realistic phishing sites.

      --
      Just another second banana
  13. KeePassX? KeePassXC? KeePassDroid? by Futurepower(R) · · Score: 1

    What about KeepassX?

    Or KeePassXC Password Manager? Question: keepassxc ... can we trust it ?

    KeePassXC for Beginners says "Android users, consider KeePassDroid.
    iPhone users, consider MiniKeePass".

  14. Re: In further news, charges are being prepared by gnasher719 · · Score: 2

    EE (the first one I checked) has unlimited calls, unlimited messages, and 60GB data per month for £30 per month. Yes, mobile data is one area where it looks like American providers are absolutely ripping you off. Also, contracts usually have phone and service separate, so when your phone is paid off you stop paying for your phone as long as you keep your old phone.

  15. Re: In further news, charges are being prepared by richy+freeway · · Score: 2

    Yeah I can get the same thing with 20GB a month for £20 a month, which is what? $25? That's completely contract free. If I use up that 20GB I can just restart my "month" with another £20 and get another 20GB.

    Can switch and change how much I pay whenever I want depending on what I need.

    If you're ever in the UK and need a SIM I can't recommend GiffGaff enough.

  16. Re:In further news, charges are being prepared by Anonymous Coward · · Score: 1

    Meh- just don't use the company and let it die. Punish them with your wallet. I don't want incompetence to be considered a crime in most cases. Everyone has a moment of incompetence.

    If you are in the business of selling security related products, or handle financial data, I disagree.

    If you are incompetent at your core fucking business, that should be criminal, because clearly you have no business being in that field.

    If your product is a password manager, and you leave your fucking data on an un-secured server ... you are criminally incompetent to the point that your activities are either fraudulent, or grossly negligent.

    Sorry, I'm not giving a pass to a company who claims to be helping your security if they're this fucking stupid.

    In the same way I expect a builder or a car company to make something which meats all applicable standards, in the context of a company whose product is a password manager ... this kind of incompetence is not to be just waved away.

  17. Privacy protection service hacked .. by najajomo · · Score: 1

    Haa haaa haaaa :]

  18. Re:In further news, charges are being prepared by ilsaloving · · Score: 1

    Except that isn't a punishment for anyone except the lower-level staff. You the the executives care if the company goes belly up? They'll just jump with their golden parachutes, start a new company, and go their merry way.

    This mindset that it is acceptable for executives to get away scott free when they cause a major fuck up, just blows my mind. If any other person screws up, then at minimum they would be fired. But execs? Nope! Gosh golly sir! How terrible for you! Can I get you another martini?