Change your password

Abine, a company that provides online privacy tools, has reported a security incident that’s thought to have impacted millions of Blur password manager users.

Writing in a blog post on Monday, the Boston-based start-up said it discovered the breach on December 13, when it immediately began to mitigate and determine the extent of the issue.

More than two million Blur users were affected after a misconfigured Amazon S3 cloud storage had left some of their information exposed, Abine told The Daily Swig.

Only those who registered Blur accounts before January 6, 2018, have potentially had their details compromised, the company said.

This includes emails, names, password hints, and the last and second-to-last IP addresses that were used to login to Blur.

Hashed passwords were also exposed, but Abine said the keys to encrypted passwords remain protected.

Regardless, all users should still change their Blur master password following the incident. Implementing two-factor authentication on accounts has additionally been advised.

Abine added: “We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach.”

The company said it has now secured its cloud storage, and is asking those with questions or in need of assistance to get in touch.

“As a privacy and security focused company this incident is embarrassing and frustrating. These incidents should not happen and we let our users down,” it said.

“We apologize and are working very hard to ensure we respond quickly and effectively to this incident and make sure we do everything we can to not let anything like it happen again.”

Insecure S3 buckets continue to be the culprit behind numerous data breaches, despite Amazon making a security permissions check freely available to service administrators early last year.