Data of 2.4 Million Blur Password Manager Users Left Exposed Online (zdnet.com) 60
Abine, the company behind the Blur password manager and the DeleteMe online privacy protection service, revealed on Monday a data breach impacting nearly 2.4 million Blur users, ZDNet reports. From the report: The breach came to light last year, on December 13, when a security researcher contacted the company about a server that exposed a file containing sensitive information about Blur users, an Abine spokesperson told ZDNet via email. The company said it followed this initial report with an internal security audit to determine the size of the breach. The audit concluded last week, and the company made the data leak public on Monday in a post on its blog. The data that was available on the web included each user's email addresses, some users' first and last names, some users' password hints but only from our old MaskMe product, and each user's encrypted Blur password.
Re: (Score:2)
For $50 a month I'd EXPECT a free phone upgrade every couple of years.
£10 a month for SIM only. Unlimited SMS, calls and 4GB data. Cancel any time I want with no penalty and move my number to whatever provider I want and they HAVE to give me the PAC to transfer the number within 2 hours.
Boggles my mind how hard you get shafted in the US for cellular service.
Re: In further news, charges are being prepared (Score:2)
And how much is additional data? That's pretty important. I pay $50/mo. for unlimited call/text and 15GiB of data. So can you get an additional 11GiB for under $40?
Re: In further news, charges are being prepared (Score:3)
Re: (Score:3)
Yeah I can get the same thing with 20GB a month for £20 a month, which is what? $25? That's completely contract free. If I use up that 20GB I can just restart my "month" with another £20 and get another 20GB.
Can switch and change how much I pay whenever I want depending on what I need.
If you're ever in the UK and need a SIM I can't recommend GiffGaff enough.
Re:In further news, charges are being prepared (Score:4, Insightful)
We expect to see charges brought against all executive level officers at Abine and class actions are already in the works. Prosecutors have asked the judge to prevent any sale of stock by executives and they are not permitted to leave the country.
Meh- just don't use the company and let it die. Punish them with your wallet. I don't want incompetence to be considered a crime in most cases. Everyone has a moment of incompetence.
Re: (Score:1)
If you are in the business of selling security related products, or handle financial data, I disagree.
If you are incompetent at your core fucking business, that should be criminal, because clearly you have no business being in that field.
If your product is a password manager, and you leave your fucking data on an un-secured serv
Re: (Score:2)
Except that isn't a punishment for anyone except the lower-level staff. You the the executives care if the company goes belly up? They'll just jump with their golden parachutes, start a new company, and go their merry way.
This mindset that it is acceptable for executives to get away scott free when they cause a major fuck up, just blows my mind. If any other person screws up, then at minimum they would be fired. But execs? Nope! Gosh golly sir! How terrible for you! Can I get you another martini?
Re: (Score:2)
When have these ever really have an effect on a company for long.
Ouch (Score:5, Insightful)
Every time I see a breach like this, it makes me glad I'm still using KeePass. The ease of use of LastPass is tempting, but these kinds of services are a very large target.
Re:Ouch (Score:5, Informative)
Re: (Score:2)
Too bad all those passwords take so much space in your memory that you forgot the difference between "an extra step" and "and extra step".
Re: (Score:2)
Where do you strengthen the links in your chain?
I find that password breaches normally happen at the provider's side, either brute forced, or someone haxxors their database and they have now a list of passwords that are in use. By moving to a PW manager and using 30 characters of randomly generated stuff, different for each site, a compromise at foo.com won't affect any of my other accounts.
Another method you could use that doesn't require a password manager is to take the hostname of a site, HMAC it with
Re: (Score:1)
I've pretty much reached the point where if it's an on-line service and wants my information, I won't use it.
The ad revenue of someone who isn't qualified to safeguard my data isn't my problem, and not using these thi
Re: (Score:2)
What password manager does everyone recommend? (Score:3)
I wish open-source programmers would be more careful about choosing names. Keepass sounds like "Keep Ass".
Information about Keepass: KeePass Password Safe [keepass.info]
Does Keepass synchronize across devices? [sourceforge.net]
Re: (Score:2, Informative)
I use Password Store, or just "pass" for short.
Completely free, no cloud, no GUI. Passwords are stored locally and are encrypted with GnuPG, so you can choose your own cipher and strength instead of trusting someone else's defaults. Passwords can be copied to clipboard with the '-c' argument. It even can integrate with git so you can keep your passwords managed in a version control.
https://www.passwordstore.org/
Whenever I need to access my passwords remotely, I just use SSH. Easy enough.
Re: (Score:2)
+ 1 for this one
It works very well, it is simple, you can push it to git and even share with others (recommended different password stores for personal and shared passwords, of course, so you share only the correct one)
Re: (Score:3)
i also use password hasher plus [github.com] for sites, to generate random passwords/key based on a master password and site info ... you only need to backup the password/key to restore the passwords
Re: (Score:2)
+1 for 'pass' (also sometimes referred to as "zx2c4 pass").
Version controlled password vault is great.
I use 'passmenu' as an extension. Emulates a keyboard, so it doesn't wipe out my copy/paste buffer.
It's all GnuPG and Bash underneath. And I use a YubiKey to hold my GnuPG private key (and also my SSH private key, which I use to pull from Git, where I have the password vault archived).
Also works pretty well in a team mode, at least to a certain scale. My work team (4 people) has a 'pass' vault together.
KeePassX? KeePassXC? KeePassDroid? (Score:2)
Or KeePassXC Password Manager? [keepassxc.org] Question: keepassxc
KeePassXC for Beginners [medium.com] says "Android users, consider KeePassDroid [google.com].
iPhone users, consider MiniKeePass [apple.com]".
Re: (Score:2)
Well, I wouldn't trust anything that's in the cloud.
Re: (Score:2)
KeePass is simply a spec and standard for a password vault, with many many software implementations. A lot of those implementations support synching your wallet to either public or private clouds.
The way I use KeePass is I keep my wallet synched to my Google Drive account, which is in turn of course protected by 2FA.
I can then load said wallet on Android, IOS, in my browser, and via local apps in OSX and Windows, because all of these platforms have KeePass apps that support Google Drive sync. Don't like Goo
Re:Ouch (Score:4, Interesting)
I like using multiple PW managers:
1: For the average website, I use LastPass. It is good enough, and actually has been hacked before, with the attacks mitigated by the fact that the data is never available unencrypted on their site. It has MFA, so an attacker would have to compromise a smartphone, and know my PW to get in. I always have MFA on, so even if LastPass is compromised, the attacks will
2: For my 2FA seeds, I use a program like enPass, or Codebook. mSecure, and 1Password are others, but mSecure and 1Password require a subscription and/or accounts with the respective companies, while enPass and Codebook, you pay for once, and you don't have to give them any personal details. These get synced with Dropbox or Google Drive, so an attacker would have to compromise that account (which is 2FA protected), then figure out the 64+ character password used for the data. Not impossible, but good enough. I use multiple programs, as enPass and Codebook allow exporting the seeds to plaintext as well as syncing.
I will also mention SafeInCloud as well, where it costs just one fee, and that's it.
3: For stuff that actually has to be secure and doesn't go to the cloud, I use KeePass with a passphrase and a keyfile. The keyfile is stored on an encrypted USB drive, and never leaves that. For an attacker to obtain the KeePass data, they would have to have physical access, find the dongle, guess the 16 digit PIN in less than ten tries (as the USB drive erases itself after the tenth attempt), and guess the password. Again, it can be done, but it is a good defense against most things.
Re: (Score:2)
1Password doesn't require a subscription or an account. While the company is definitely pushing customers that direction, they haven't stopped selling one-off licenses for the latest versions of their apps. About the only major features that non-subscribers are missing are the ability to sync via 1Password's cloud service and the ability to manage vaults for teams/families. They still have locally-stored vaults with the option to manually sync via Wi-Fi or automatically sync via Dropbox/iCloud.
Re: (Score:2)
That is good. When AgileBits came out with a version forcing people to their cloud, I dropped them like a hot rock. I used to swear by them before they did that one.
Re: (Score:1)
You had ONE job (Score:2)
Re: (Score:2)
In my government IT job in Palo Alto, we don't use passwords anymore. We have moved to USB-C authentication with certificates. -- Rocketman - Star Trek 2: The Wrath of Khan - William Shatner Trailer [t.co]
And in that context it makes sense. It makes less sense for say an average user.
darwin (Score:1)
Blurred minds (Score:2)
Re: (Score:2)
The ironic thing is that password managers can be made secure:
1: Use a DB format that stores a master encryption key... which is then has multiple entries that are public key encrypted, so any device with its private key can unlock the master key and decode things.
2: Each endpoint generates and uses its own public/private keypair. When one adds another machine (computer, phone, tablet), it is "introduced" to it by another device adding the new device to the list.
3: Recovery can be done by adding a recov
Re: (Score:2)
Anyways, your idea sounds great for someone that never uses devices outside of their home!
At least the passwords are stored well (Score:3)
So they may be big screwups, but they're not colossal screwups.
Re: (Score:2)
Did you even read your own quote? It seems to imply that the real sensitive data is unencrypted!
No i think the point was they only have access to the encrypted username and passwords and that they don't have access to the unencrypted usernames and passwords. So it's oddly written but it might be implying the opposite.
And nothing much will happen (Score:5, Insightful)
Next: Blur users targeted by Phishing scams (Score:2)
Re: (Score:2)
Ok so only your email name and password hints were lost. All the bad guys need to send out a barrage of very convincing targeted phishing emails asking users to update their master passwords. As soon as they fall for this all their accounts are toast.
honestly having a password hint compromised is a fairly big deal. a) people suck a hints "Password is my name backwards with a 3" and b) yeah you can use those hints to create more realistic phishing sites.
Privacy protection service hacked .. (Score:2)