Opera warns 1.7 million Opera Sync users of breach, forces password reset

Opera warned 1.7 million Sync users of a possible breach and issued a forced password reset.

About 350 million people use the Opera browser. Of those, 1.7 million received an email from Opera, warning that attackers breached Opera’s cloud Sync service server. Even if a person didn’t check their email, they would have known something was up since Opera forced a password reset for Sync users.

Opera announced the breach on Friday. The company said it detected and then “quickly blocked” an attack last week, but “some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.”

Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution.

An Opera spokesperson apparently attempted to use the security-by-obscurity deflection method when asked specific encryption questions, but the company “uses Nigori for synchronized passwords and passwords in the system used for authentication are hashed and salted with per-user salts,” according to Salted Hash’s Steve Ragan. He added that it is the process for hashing authentication passwords that Opera won’t reveal.

The breach is still being investigated, but the company urged Sync users to change “any passwords to third party sites they may have synchronized with the service.”

Opera’s breach announcement came on the heels of Dropbox asking some users to reset their passwords.

Dropbox forces password reset for some users

In the case of Dropbox, it is not a new hack but a very old one rearing its ugly head again. The company is zeroing in on users who signed up for the cloud storage service before mid-2012 yet have not changed their Dropbox passwords since then.

This is a preventative measure. The company explained:

Our security teams are always watching out for new threats to our users. As part of these ongoing efforts, we learned about an old set of Dropbox user credentials (email addresses plus hashed and salted passwords) that we believe were obtained in 2012. Our analysis suggests that the credentials relate to an incident we disclosed around that time.

Based on our threat monitoring and the way we secure passwords, we don't believe that any accounts have been improperly accessed. Still, as one of many precautions, we're requiring anyone who hasn't changed their password since mid-2012 to update it the next time they sign in.

Password reuse is a rampant problem, so anyone who reused the same Dropbox password on other sites were also advised to change those passwords.

Copyright © 2016 IDG Communications, Inc.

The 10 most powerful cybersecurity companies