Abine says Blur Password Manager User Information Exposed

Customers who use the Blur secure password manager by Abine may have had sensitive information leaked, according to a statement by Abine, the company that makes the product. 

Abine, which bills itself as “The Online Privacy Company,” said that customers who used its Blur secure password manager may have had their personal information exposed.

The company said in an email to Blur users that some of their information was “potentially exposed.” Customers were advised to change their Blur password and the password for any other online accounts that share that password, backup their data and enable multi-factor authentication on their Blur account, according to a copy of the email obtained by The Security Ledger.

See also: Report: EU may slap new GDPR Fines on Old Data Breaches

In a blog post, Abine said that a file containing information about Blur users who registered prior to January 6th, 2018 was “potentially exposed.” The file contained users’ email addresses, first and last names, password hints (for some users), IP-addresses associated with user logins and bcrypt-encrypted password values. Abine did not disclose how many Blur users were affected. The company claims that it sports “millions” of active users each month on Blur.

“As a privacy and security focused company this incident is embarrassing and frustrating,” Abine said in a statement. “These incidents should not happen and we let our users down. We apologize and are working very hard to ensure we respond quickly and effectively to this incident and make sure we do everything we can to not let anything like it happen again.”

See also: Veeam mishandles Own Data, exposes 440M Customer E-mails

According to Abine support, the data that was exposed was being stored on an Amazon Web Services container and was being used for “reporting maintenance.” Abine does not have any evidence that the data was accessed, though the potential for it to be accessed existed, prompting the warning.

Abine’s Blur is a secure password management application akin to LastPass, DashLane or Keeper.  Abine said that it does not have unencrypted access to customer data such as the usernames and passwords for accounts managed by Blur, autofill credit cards and other sensitive data. That limits the impact of the breach, the company said.  Additionally, Abine’s encryption of passwords makes it unlikely that strong user passwords could be broken even if hackers obtained the encrypted version of the password, Abine support told The Security Ledger.

“As frustrated as we are right now, we are glad that we have taken that approach,” the company said in a statement.

Abine isn’t the first password manager to suffer a security breach. In 2015, LastPass acknowledged that its systems were hacked, with hackers making off with customer e-mail addresses, stored password reminders and unique password “hashes.”

Insecure cloud-based servers and storage containers are a common source of data leaks. Firms like UpGuard have been combing the infrastructure of Amazon’s AWS, Microsoft Azure, Google and other major cloud providers in search of exposed data sets, with much success.