Abine Blur Password Manager suffers a data breach exposing private data of 2.4 million users

• Exposed information included users’ email addresses, first and last names, last and second-to-last IP addresses used to login to Blur, encrypted Blur passwords.
• Blur confirmed that there is no evidence that the usernames and passwords stored by their users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, Masked Credit Card numbers, and payment details were exposed.

Abine, the online privacy company owning Blur and DeleteMe announced on December 31, 2018 that personal information about Blur password manager users was exposed online.

Blur became aware of the incident on December 13, 2018, upon which the company immediately began working to investigate the incident and to ensure their systems and data were secure. The investigation concluded last week, and the company released a security update on Monday stating that a file containing information from users who had registered prior to January 2016 were exposed online.

What happened?

The file containing information about Blur password manager users from prior to January 6, 2018 was potentially exposed online.

Abine has told BleepingComputer in an email that this file was in a "misconfigured Amazon S3 storage bucket that was being used for data processing." Abine further confirmed to BleepingComputer that approximately 2.4 million users may have had their information exposed.

Upon learning about the incident, Blur has retained a leading security firm to assist them in the investigation and have also notified the law enforcement officials.

What information was leaked?

Exposed information included users’ email addresses, first and last names, last and second-to-last IP addresses used to login to Blur, encrypted Blur passwords, and some users’ password hints from Blur’s old product MaskMe.

“Blur encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords,” the security update reads.

However, Blur confirmed that there is no evidence that the usernames and passwords stored by their users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, Masked Credit Card numbers, and payment details were exposed.

How to ensure that your data remains safe?

Blur is working closely with a leading security firm in order to prevent such breaches from happening in future. Meanwhile, Blur has provided several recommendations for its users to ensure their security after this incident.

• Blur has requested their users to change their Blur passwords and in case if they use the same passwords on any other service, Blur advise their users to change them as well.
• The privacy company recommends its users to back up their Blur data before making any account changes.
• Further, the company recommends using two-factor authentication for their Blur account in order to add an extra layer of security to their account.