The Opera browser warned 1.7 million users of its sync system to reset their synced third-party passwords following a breach.
On 26 August, developer Mark “Tarquin” Wilton-Jones announced the incident on Opera’s website:
“Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.”
The Norway-based browser says all passwords for authentication were hashed and salted, whereas synchronization passwords were encrypted.
Steve Ragan of Salted Hash reached out to Opera’s security team to learn more about the synchronization password encryption scheme. A spokesperson for the company, he reports, was a bit dodgy with their responses.
It’s unclear for what reason. In June 2015, the browser admitted it uses Nigori, a protocol which Google Chrome has also partially implemented. Opera hasn’t disclosed what process it uses for hashing the authentication passwords, however.
Out of an abundance of caution, Opera reset all synchronization account passwords. It also encouraged users to reset all of their passwords to third-party websites that they might have stored with the service.
A pain, yes. But a good idea. If an attacker managed to compromise a user’s sync account, they’d basically have access to all their stored web account credentials, which might include login information for banking sites, social media, and email services.
It’s well worth the effort to avoid a headache of that magnitude.
Wilton-Jones explains asks that all 1.7 million users of the sync service, which is less than 0.5 percent of Opera’s total user base of 350 million, can obtain a new sync password here.
“We take your data security very seriously, and want to sincerely apologize for the inconvenience this might have caused.”
News of this breach comes just a few months after the browser announced both a native VPN and a native ad-blocking feature.