Opera Sync Users May Have Been Compromised In Server Breach (fortune.com) 26
An anonymous reader writes: Someone broke into Opera's servers. The Opera browser has a handy feature for synchronizing browsing data across different devices. Unfortunately, some of the passwords and login information used to enable the feature may have been stolen from Opera's servers. Opera's sync service is used by around 1.7 million people each month. Overall, the browser has 350 million users. The Norwegian firm told its users that someone had gained access to the Opera sync system, and "some of our sync users' passwords and account information, such as login names, may have been compromised." As a result, Opera had to reset all the passwords for the feature, meaning users will need to select new ones.
How was it compromised (Score:4, Interesting)
Re: (Score:2)
Re: (Score:1)
Did they break in by a security hole or did they used compromised credentials to break in? Any info on that matter?
I know that it was possible in the first place because this "sync" ever used remote servers.
I have no use for sync functions - I rather like keeping things separate. But if I wanted to sync, it would mean syncing a mobile device that I control (i.e. have rooted) with a PC that I also control (running a FOSS OS). Why the hell would I want to involve any third-party servers for such a simple transfer of data? It's just asking for trouble.
Anyone who wants "the cloud" can keep it. It's a hell of a lot harde
Re:Try the "VPN' feature (Score:4, Funny)
Maybe this isn't the best moment to suggest that people route all their internet traffic through Opera's servers.
Re: (Score:1)
Dumb (Score:3)
Firefox's sync is less secure than that, but it's encrypted on their servers and requires an email verification to use, so the attacker has to compromise both your Firefox account and then your email account.
I take it from TFA that Opera's sync database wasn't hashed, which is orders of magnitude worse than LastPass and Firefox. If anyone's still using Opera, this should be an alarm to switch to something else.
Re: (Score:2)
Unless there is a bug which allows the passwords to be extracted... https://labs.detectify.com/201... [detectify.com]
Good to know, but I do point out that the first line of that link says "Note: This issue has already been resolved and pushed to the Lastpass users."
I hope that they told users to change their saved passwords, though.
You can have convenience, or security, not both... (Score:3)
This is why I don't use password keepers, store my stuff in browsers, use Opera or Evernote to sync, Google drive...
Sooner or later they will ALL be breached; many already have been.
Re: (Score:2)
I store everything in KeePassX. To breach that, you'd have to be able to both keylog me and arbitrarily access the files on my drives.
Re: (Score:1)
https://youtu.be/3NjQ9b3pgIg?t... [youtu.be]
Re: (Score:2)
I use a notebook, with ink on paper.
Do you keep the notebook in a safe? If not, I would venture to bet that a robber taking it is more likely than a hacker specifically targeting me and successfully nabbing my database and bruteforcing my master password.
Of course, you could mitigate that by enciphering your written-down passwords, but it's an awful lot of work and you're still more susceptible to a keylogger than I am (if somebody successfully keylogged me, they'd get my master password, but that by itself is useless since I copy+paste al
Re: (Score:1)
This is why I don't use password keepers, store my stuff in browsers, use Opera or Evernote to sync, Google drive...
Sooner or later they will ALL be breached; many already have been.
Not that I am for or against password keepers, but isn't the actual password data itself separately encrypted and stored in an individually encrypted state? That is, not even the people who run the password-keeping service can decrypt the blob of data they store, since they don't store the information necessary to decrypt it. (Decrypting the passwords is done locally on your machine after you type in your pass-phrase.) So an attack that compromised a well-designed password-keeping service would only net t
Oh no ! Warn Carman and Rigoletto !! (Score:2)
I think they both use the Opera Sink backstage...
Passwords not at risk (Score:2)
They are encrypted.
http://www.opera.com/blogs/sec... [opera.com]