Abine Blur Password Manager User Data Exposed Online
(Jan 2, 2019)
Abine, the creators of privacy and password manager, "Blur," released a notice on December 31, 2018, that customer information was exposed on the Internet via a misconfigured Amazon Web Services (AWS) S3 bucket file. On December 13th, Abine was notified by a security researcher about the misconfigured file that exposed customers who registered prior to January 2016, which approximates to around 2.4 million users. The exposed data includes: email addresses, encrypted passwords, some full names of users, last and second to last IP addresses used to log into Blur, and password hints from the old "MaskMe" product. No sensitive data such as bank information, stored usernames and passwords, or masked emails/phone numbers were exposed. As of this writing, Abine has resecured the misconfigured S3 file.
Recommendation: Users of Blur, who registered prior to January 2016, should change their Blur password and the password of any site that used the same password. Always make sure your cloud storage is properly configured. Experts have been warning companies that Amazon S3 buckets are too often misconfigured. Leaked data can be used by extortionists in an attempt to make money. Ensure that any cloud storage services you use are properly configured to only allow access to trusted and authorized users. Require multi-factor authentication for access to the most sensitive materials you store.
Indicators of Compromise (IOCs) associated with this story can be viewed by ThreatStream users here to identify potential malicious activity.