The password manager service exposed the data due to a poorly configured online bucket
Abine, developer of Blur, the password management service, has recently launched a security notice in which it reports that a file containing users’ sensitive data was exposed due to an oversight, report cybersecurity specialists from the International Institute of Cyber Security.
The exposed information would have been identified on September 13th, after Abine found a file with email addresses, information on the IP used by its clients to log into Blur, as well as encrypted information related with users’ passwords. Apparently, this file has been exposed since January 6th, 2018.
The main work of the Blur service is to ensure and enhance the Internet privacy experience of its users, offering password management services, as well as payment card, email addresses, and phone number protection and masking. For its part, Abine is responsible for encrypting passwords, using bcrypt and a single salt for each of its users. These unique features are present in the company’s exposed file, instead of the real passwords, according to experts in cybersecurity.
However, it is known that this user password-related information could help an attacker gain access to any online account protected by these services in the event that the user has linked those services using the same email address. According to the security alert published by Abine, until now there is no evidence that the sensitive data of any user has been compromised.
“We believe that the data of our users remain secured. There is no evidence suggesting that the data stored in Blur (protected payment cards, email and phones) have been compromised,” mentions a post on the Abine blog.
Cybersecurity experts point out that Abine has not provided further details about the incident, such as the exact number of victims or how the bucket was exposed in the first place. Early research suggests that a misconfigured Amazon S3 bucket contained the exposed file, so data from about 2.4 million users would have been exposed during the incident.
This incident represents a hard blow to Abine, because password management services are considered more reliable to manage a large number of access keys to different services without the need to memorize different keys or establish a same password for every platform, running as an additional security layer. As a security measure, the company suggests its users to enable two-factor authentication (2FA) and, if possible, reset all their passwords.