Your worst nightmare has come true: A password manager's database has been exposed online.
Abine, the parent company of the Blur password manager and the DeleteMe privacy-protection service, announced in a blog post Monday (Dec. 31) that "a file containing some information about Blur users from prior to January 6th, 2018 was potentially exposed."
ZDNet and Bleeping Computer, after speaking to Abine representatives, reported that almost 2.4 million Blur users were impacted. Blur users should change their master passwords and set up two-factor authentication if they haven't already.
The good news is that there's no evidence that crooks stumbled across the data or copied it. The data was stored online in a poorly configured Amazon Web Services database, and the only person who seems to have noticed that the data was accessible to unauthorized users was the security researcher who reported it to Abine on Dec. 13.
Even better, passwords that customers had stored in Blur were not exposed, nor was payment-card information. DeleteMe accounts were not affected at all.
"There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed," the Abine blog posting said. "There is no evidence that user payment information was exposed."
The bad news is that the exposed data included each Blur user's email addresses and the two most recent IP addresses from which each customer had logged into Blur. The first and last names and the password-recovery hints of some users were also exposed.
The master passwords to Blur accounts were also exposed, but only in the form of "hashes," or one-way mathematical representations. Those hashes were generated using the very strong Bcrypt algorithm and "salted" with the addition of random numbers. It will be very difficult to crack those master passwords for the foreseeable future.
Abine says it is working with a "leading security firm" to determine the cause of the breach, and has notified law enforcement.
Nevertheless, if you're among those who were impacted, you should assume the worst. First, change your Blur master password, and set up multi-factor authentication for your Blur account. Then go about changing the passwords that your Blur account stored.