Data Leak

Abine, the creator of the Blur privacy and password management service, released a security notice on Monday that states that a file was exposed to the Internet that contained customer information.

Blur is a service that aims to increase a user's privacy by offering password management, masked phone numbers, masked credit cards, and masked email addresses so that you do not need to expose your sensitive information online.

In an security notice, Abine explains that they learned on December 13th that a file containing information from customers who had registered prior to January 2016 was exposed online. Abine has told BleepingComputer via email that this file was in a "mis-configured Amazon S3 storage bucket that was being used for data processing." They further told us that approximately 2.4 million users may have had their information exposed.

This file contained the following information:

  • Each user’s email addresses
  • Some users’ first and last names
  • Some users’ password hints but only from our old MaskMe product
  • Each user’s last and second-to-last IP addresses used to login to Blur
  • Each user’s encrypted Blur password. These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords.

Abine has stated that there is no evidence that any sensitive data such as a customer's payment information, stored user names and passwords, and masked emails or phone numbers were exposed.

Abine told us that they were alerted to the mis-configured S3 bucket by a security researcher on December 13th. Once alerted, Abine secured the bucket, contacted a third-party security company, and notified law enforcement.

To be safe, Abine suggests that their customers change their Blur password and the password at any other site that utilizes the same password. They also suggest you create a strong password and enable 2 factor authentication

If you are a Blue customer and have any concerns, you can contact them at blur-support@getabine.com or by phone at 1 (877) 460-2121.

Updated 1/2/19: Added comments from Abine.

Related Articles:

Misconfigured Firebase instances leaked 19 million plaintext passwords

Bitwarden’s new auto-fill option adds phishing resistance

Decade-old Linux ‘wall’ bug helps make fake SUDO prompts, steal passwords

INC Ransom threatens to leak 3TB of NHS Scotland stolen data

200,000 Facebook Marketplace user records leaked on hacking forum