Abine, the company behind the Blur[1] password manager and the DeleteMe[2] online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet has learned.
The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email.
The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post[3] on its blog.
According to Abine, the file that was left freely accessible online contained various details about Blur users who registered before January 6, 2018. Exposed information included:
- Each user's email addresses
- Some users' first and last names
- Some users' password hints but only from our old MaskMe product
- Each user's last and second-to-last IP addresses used to login to Blur
- Each user's encrypted Blur password. These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords.
The company stressed that no passwords stored inside users' Blur accounts were exposed.
"We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach," said Abine.
"There is no evidence that the usernames