Data on over two million users of a password manager tool has been publicly exposed in another cloud storage misconfiguration incident.
Abine said on Monday that 2.4 million users of its Blur product from prior to January 6 2018 were affected. As well as password management, it offers the ability to mask phone numbers, credit card details and other information online to help protect user privacy and security.
The file in question, exposed in an Amazon S3 storage snafu, contained: email addresses, some first and last names, password hints for its MaskMe product, last and penultimate IP address used to log-in to Blur and Blur passwords encrypted using bcrypt with a unique salt for each.
The incident was discovered on December 13 but there’s no info on how long the data was exposed for.
“Importantly, there is no evidence that our users’ most critical data has been exposed, and we believe it is secure. There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed,” the firm clarified.
“As a best practice, you should change your Blur password. If you use the same password you use on Blur on any other service, you should change those passwords to new unique passwords as well.”
The incident is yet another reminder of the insider threat: in this case stemming from accidental misconfiguration of cloud infrastructure.
It’s a risk that has plagued organizations for years and experts predict more cyber-criminals may actively be on the lookout for exposed databases as we head into the new year.
Password manager vendors are an attractive target given the sensitive information they store.