Slashdot Mirror

← Back to Stories (view on slashdot.org)

Data of 2.4 Million Blur Password Manager Users Left Exposed Online (zdnet.com)

Posted by msmash on from the security-woes dept.

Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet reports. From the report: The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email. The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog. The data that was available on the web included each user's email addresses, some users' first and last names, some users' password hints but only from our old MaskMe product, and each user's encrypted Blur password.

12 of 60 comments (clear)

  1. Ouch by b0bby · · Score: 4, Insightful

    Every time I see a breach like this, it makes me glad I'm still using KeePass. The ease of use of LastPass is tempting, but these kinds of services are a very large target.

    1. Re:Ouch by b0s0z0ku · · Score: 4, Informative

      Not all password managers require "sharing data." Keepass is cloudfree.

    2. Re:Ouch by paulxb · · Score: 2

      https://bitwarden.com/ is the same as LastPass but you can host it yourself.

    3. Re:Ouch by ctilsie242 · · Score: 3, Interesting

      I like using multiple PW managers:

      1: For the average website, I use LastPass. It is good enough, and actually has been hacked before, with the attacks mitigated by the fact that the data is never available unencrypted on their site. It has MFA, so an attacker would have to compromise a smartphone, and know my PW to get in. I always have MFA on, so even if LastPass is compromised, the attacks will

      2: For my 2FA seeds, I use a program like enPass, or Codebook. mSecure, and 1Password are others, but mSecure and 1Password require a subscription and/or accounts with the respective companies, while enPass and Codebook, you pay for once, and you don't have to give them any personal details. These get synced with Dropbox or Google Drive, so an attacker would have to compromise that account (which is 2FA protected), then figure out the 64+ character password used for the data. Not impossible, but good enough. I use multiple programs, as enPass and Codebook allow exporting the seeds to plaintext as well as syncing.

      I will also mention SafeInCloud as well, where it costs just one fee, and that's it.

      3: For stuff that actually has to be secure and doesn't go to the cloud, I use KeePass with a passphrase and a keyfile. The keyfile is stored on an encrypted USB drive, and never leaves that. For an attacker to obtain the KeePass data, they would have to have physical access, find the dongle, guess the 16 digit PIN in less than ten tries (as the USB drive erases itself after the tenth attempt), and guess the password. Again, it can be done, but it is a good defense against most things.

  2. Re:In further news, charges are being prepared by Oswald+McWeany · · Score: 3, Insightful

    We expect to see charges brought against all executive level officers at Abine and class actions are already in the works. Prosecutors have asked the judge to prevent any sale of stock by executives and they are not permitted to leave the country.

    Meh- just don't use the company and let it die. Punish them with your wallet. I don't want incompetence to be considered a crime in most cases. Everyone has a moment of incompetence.

    --
    "That's the way to do it" - Punch
  3. At least the passwords are stored well by drinkypoo · · Score: 2

    The company stressed that no passwords stored inside users' Blur accounts were exposed.

    "We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach," said Abine.

    So they may be big screwups, but they're not colossal screwups.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  4. And nothing much will happen by OneHundredAndTen · · Score: 4, Insightful

    We keep hearing about similar breaches, over and over again, and nothing much ever happens. It seems to be the case that it is actually cheaper for companies to do damage control than to take the necessary security measures to prevent such breaches in the first place. I am sure that a few heads rolled in Equifax after their breach a few years ago - but Equifax is still there, doing what it has always done. They sure took a hit - but they probably calculated that dealing with such hits is cheaper and simpler than implement an effective security policy. No wonder most companies pay lip service to security: they all claim it is very important, but they do less than as little as possible. Until such breaches have a significant impact on their bottom line, things will not change.

  5. What password manager does everyone recommend? by Futurepower(R) · · Score: 2

    Please recommend a password manager.

    I wish open-source programmers would be more careful about choosing names. Keepass sounds like "Keep Ass".

    Information about Keepass: KeePass Password Safe

    Does Keepass synchronize across devices?

    1. Re:What password manager does everyone recommend? by Anonymous Coward · · Score: 2, Informative

      I use Password Store, or just "pass" for short.

      Completely free, no cloud, no GUI. Passwords are stored locally and are encrypted with GnuPG, so you can choose your own cipher and strength instead of trusting someone else's defaults. Passwords can be copied to clipboard with the '-c' argument. It even can integrate with git so you can keep your passwords managed in a version control.

      https://www.passwordstore.org/

      Whenever I need to access my passwords remotely, I just use SSH. Easy enough.

    2. Re:What password manager does everyone recommend? by higuita · · Score: 2

      i also use password hasher plus for sites, to generate random passwords/key based on a master password and site info ... you only need to backup the password/key to restore the passwords

      --
      Higuita
  6. Re: In further news, charges are being prepared by gnasher719 · · Score: 2

    EE (the first one I checked) has unlimited calls, unlimited messages, and 60GB data per month for £30 per month. Yes, mobile data is one area where it looks like American providers are absolutely ripping you off. Also, contracts usually have phone and service separate, so when your phone is paid off you stop paying for your phone as long as you keep your old phone.

  7. Re: In further news, charges are being prepared by richy+freeway · · Score: 2

    Yeah I can get the same thing with 20GB a month for £20 a month, which is what? $25? That's completely contract free. If I use up that 20GB I can just restart my "month" with another £20 and get another 20GB.

    Can switch and change how much I pay whenever I want depending on what I need.

    If you're ever in the UK and need a SIM I can't recommend GiffGaff enough.