Abine, the company behind the Blur password manager and SlettMe online privacy, revealed on Monday a data outbreak that affected nearly 2.4 million Blur users, ZDNet has learned.
The breach came to light last December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an abine spokesman said ZDNet via email .
The company said it followed this introductory report with an internal security check to determine the size of the breach. The audit ended last week, and the company made the data leak public on Monday in a post on its blog.
According to Abine, the file that was freely available online, various information about Blur users who registered before January 6, 201
- E-mail addresses of each user
- Some users and last name
- Some users' password hints, but only from our old MaskMe product
- Each user's last and last to last IP addresses used to log in to Blur
- Each user's encrypted Blur password. These encrypted passwords are encrypted and hashed before being transferred to our servers, and then encrypted using bcrypt with a unique salt for each user. The output of this encryption process for these users was potentially exposed, not actual user passwords.
The company emphasized that no passwords stored in users' Blur accounts were exposed.
"We do not have access to the most critical unencrypted data, including usernames and passwords for your stored accounts, auto-fill credit cards, etc. As frustrated as we are right now, we are pleased that we have taken that approach," said Abine.
"There is no evidence that the usernames and passwords stored by our Blur users, auto-credit card details, masked email addresses, masked phone numbers, and masked credit card numbers were postponed. There is no evidence that the user payment information was postponed, the company said
No data was exposed from the company's DeleteMe service.
Abine now encourages users to change their Blur master password and enable two-factor authentication for their account.
"As a privacy and security focus the D firm this event is embarrassing and frustrating, Abine said." These events should not happen and we let our users down. "
More data breach coverage: