The password manager exposed the data due to a misconfigured S3 bucket.
The Blur privacy and password management service developer Abine has issued a security notice this Monday stating that a file containing important customer data was accidentally exposed to the internet.
Originally, the data was identified on December 13th after Abine found a file containing data including email addresses, the last and second last IP addresses used by its customers to log in to Blur as well as encrypted information about passwords. The exposed data also included customers’ first name and surname, and password hints – On the whole, the exposed file dated back to Jan 6, 2018.
See: Here is a list of top 25 worst passwords of 2018
The primary focus of Blur’s service is to ensure and enhance user’s privacy as it offers secure password management service along with masked credit card, email addresses, and phone numbers. Abine on the other hand, is responsible for encrypting passwords, which it does use bcrypt and a unique salt for each customer/user. This particular information is present in the exposed file instead of the actual password.
It is worth noting that password hints can help an attacker acquire access to any of your accounts on other platforms if you have linked them with the same email address. According to Abine’s official statement, there is currently no evidence that critical user data has been exposed.
“There is no evidence that our users’ most critical data has been exposed, and we believe it is secure. There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed” Abine explain in its blog post.
Abine hasn’t officially revealed exactly how many users might be affected by this file exposure or how the file got exposed in the first place. However, in an email to Bleeping Computer, Abine explained that a misconfigured Amazon S3 storage bucket contained the exposed file, which was actually used for processing data. The company also revealed that nearly 2.4 million users’ information could have been exposed. Abine further confirmed that the exposed file contained password hints but only from its old MaskMe tool.
See: Keeper Password Manager in Windows 10 Exposed Saved Passwords
It is indeed a concerning incident because password managers are generally considered safe and reliable for maintaining multiple passwords and managing your ever-increasing number of accounts seamlessly. These serve as an additional layer of security.
To stay safe, Blur users are advised to immediately enable 2FA authentication and change their passwords. If they are using the same passwords to log in to multiple platforms, it is recommended to change the passwords to all of the services being used.