A company behind the Blur password manager and the DeleteMe online privacy protection service, Abine Inc., has issued a security warning revealing that they had accidentally exposed the data of 2.4 million Blur users on a misconfigured Amazon Web Services Inc. instance.
The company got to know about the breach on December 13, when a security researcher informed them about an AWS storage issue which exposed a file containing sensitive information including email addresses, the last and second last IP addresses, and encrypted information about passwords of the Blur users.
The initial report of a number of affected people was released after an internal security audit was completed, and then the company decided to make the data leak public in a post on its blog.
“We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach,” said Abine.
“There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed,” the company added.
However, there is no data compromise for the users of DeleteMe service.
The company is urging its users to change their Blur master password and enable two-factor authentication for their account.
“As privacy and security-focused company this incident is embarrassing and frustrating,” Abine said. “These incidents should not happen and we let our users down.”