[BreachExchange] Data of 2.4 million Blur password manager users left exposed online

[Destry Winant]

https://www.zdnet.com/article/data-of-2-4-million-blur-password-manager-users-left-exposed-online/

Abine, the company behind the Blur password manager and the DeleteMe
online privacy protection service, revealed on Monday a data breach
impacting nearly 2.4 million Blur users, ZDNet has learned.

The breach came to light last year, on December 13, when a security
researcher contacted the company about a server that exposed a file
containing sensitive information about Blur users, an Abine
spokesperson told ZDNet via email.

The company said it followed this initial report with an internal
security audit to determine the size of the breach. The audit
concluded last week, and the company made the data leak public on
Monday in a post on its blog.

According to Abine, the file that was left freely accessible online
contained various details about Blur users who registered before
January 6, 2018. Exposed information included:

- Each user's email addresses
- Some users' first and last names
- Some users' password hints but only from our old MaskMe product
- Each user's last and second-to-last IP addresses used to login to Blur
- Each user's encrypted Blur password. These encrypted passwords are
encrypted and hashed before they are transmitted to our servers, and
they are then encrypted using bcrypt with a unique salt for every
user. The output of this encryption process for these users was
potentially exposed, not actual user passwords.

The company stressed that no passwords stored inside users' Blur
accounts were exposed.

"We do not have access to your most critical unencrypted data,
including the usernames and passwords for your stored accounts, your
autofill credit cards, and so on. As frustrated as we are right now,
we are glad that we have taken that approach," said Abine.

"There is no evidence that the usernames and passwords stored by our
users in Blur, auto-fill credit card details, Masked Emails, Masked
Phone numbers, and Masked Credit Card numbers were exposed. There is
no evidence that user payment information was exposed," the company
added.

No data was exposed from the company's DeleteMe service.

Abine is now urging users to change their Blur master password and
enable two-factor authentication for their account.

"As a privacy and security focused company this incident is
embarrassing and frustrating," Abine said. "These incidents should not
happen and we let our users down."