Opera Sync Server breach

Martin Brinkmann
Aug 27, 2016
Opera
|
20

Opera informed the public yesterday that it detected an attack on the company's server used for the Opera Sync system.

Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.

Opera Sync is Opera's synchronization feature. Local data such as login data, bookmarks or tabs is synced with Opera's remote server so that the data is available on any device you sign in with.

The sheer volume of data makes browser sync servers a prime target for attackers much like cloud password managers are.

Data is protected by the user's password but if that password can be guessed or cracked, it provides the attacker with all information stored within.

Opera notes that it only stores encrypted or hashed and salted passwords, but that it has reset all Opoera sync account passwords "as a precaution".

All Opera Sync users affected by the breach have been informed about it via email. The email asks users to change the password to their Sync account as soon as possible.

opera sync reset password

Users are also asked to reset passwords on any third-party site they have stored as login data on Opera Sync as a precaution.

If you are affected by the issue, head over to the password reset page right away to create a new password for the Opera Sync account.

  1. Open the Reset Password page on the Opera website.
  2. Enter your username or email in the form.
  3. Click on the Reset password button to start the process.

You will receive an email with a link pointing to a page where you may change the account password.

According to Opera Software, about 0.5% of all users of the browser make use of Opera Sync. That's 1.7 million in total based on a user base of about 350 million people last month.

Closing Words

Seems to be password reset week. Dropbox reset passwords of some of the company's users as well yesterday.

Users who are using Opera Sync to store third-party login information will have to spend some time resetting passwords on various services they are a member of.

Now You: Are you affected by the issue?

Summary
Opera Sync Server breach
Article Name
Opera Sync Server breach
Description
Opera informed the public yesterday that it detected an attack on the company's server used for the Opera Sync system.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Reply said on August 30, 2016 at 7:54 pm
    Reply

    >but you need a server to *serve* it.
    SSH when needed.

    >you mean RSS as in Really Simple Syndication?
    Yes.

    1. LogicDaemon said on August 30, 2016 at 8:47 pm
      Reply

      >>you mean RSS as in Really Simple Syndication?
      >Yes.

      Thanks for confirmation :)
      I made all points on the topic in my previous message assuming “yes” is the answer :)

      > SSH when needed.

      so a server. Well, then my point is above: after “Is your homepage on your own server?” question, I made some arguments assuming “yes” is the answer.

  2. Alex said on August 28, 2016 at 8:50 am
    Reply

    This is why I all worry about passwords managers that store online like Lastpass and now it seems 1password is doing it as well for their subscription versions

    1. LogicDaemon said on August 28, 2016 at 12:15 pm
      Reply

      1. worrying is useless. Don’t worry, use countermeasures. And don’t lend your data to providers you don’t trust.
      2. storing online with good encryption is safer than storing offline without one.

  3. Flyer said on August 28, 2016 at 5:50 am
    Reply

    Easier means always less secure.
    Any function which makes privacy issues more comfortable means agreement of the user for the risk. Nothing more and nothing less.
    This time users have been informed and warned but you never know how many times similar attack has taken place.
    Also it needs to be understand with today’s powerful graphic card used for cracking software to increase the speed of breaking passwords, hashed passwords is not as secure as 10 years ago.
    So if you wanna be on the safe side you gotta keep your sensitive data as passwords, etc. but not spread them around with any service. Sorry.

    1. LogicDaemon said on August 28, 2016 at 12:11 pm
      Reply

      wrong, easiness and security only inverse in edge cases (which are few – like complete openness versus adding some sort of authentication, or two-factor auth versus simple password).

      Often, easier means more secure because humans have fewer ways to mess things up.
      Try to compare protonmail versus mua+gpg on yahoo. Which is easier? And which is more secure?

      1. COMSEC said on August 28, 2016 at 11:00 pm
        Reply

        “Synching” a browser (that has specific info about OS, Screen definition, Agent ID and installed plugins) to a phone with your name attached to the phone number is like synching our name to the browser:

        No, thank you.

  4. COMSEC said on August 27, 2016 at 8:40 pm
    Reply

    Never “synched” anything whatsoever.
    And the last good Opera was 12.x

    1. LogicDaemon said on August 29, 2016 at 7:31 am
      Reply

      > I edit my own homepage with favourite links.

      1. How is this better? At very least you sacrifice availability.

      2. Is your homepage on your own server? How much time you waste on its administration to protect from script kiddies and automated self-extending botnets?
      Do you audit all software you install there on your own?

      My point is that no one can control everything, and to use modern technologies everyone have to compromise and outsource some processes. Either you do informed choice (then it’s rational), or you rely on stereotypes and prejudices (then it’s irrational and outcome is determined by luck).

      1. LogicDaemon said on August 29, 2016 at 7:16 pm
        Reply

        > I do not need any server to create an .html page as I code a simple page with dark background and a list of links.

        but you need a server to *serve* it. Otherwise, if it’s offline html, it’s defying its purpose: why not just use bookmarks? I case of Opera, there’s Speed Dial as an alternative to bookmarks (or replacement in case of early ChOpera).

        > I do not need twitter. I do not need facebook. Most social activities are useless blabbering and provocative, silly images.

        it’s not related in any way.
        I’m using these, but I’m not active user, and this is exactly due to that reason. If most people use social networks for silly pictures, it does not mean you have to either use them same way or abandon (I’m not telling that you or anyone else have to use social networks, I’m saying that your argument about prevalent usage is invalid).

        > RSS does 90% of what I need at browser startup.

        you mean RSS as in Really Simple Syndication?
        Then do you subscribe each feed only on single computer? Or you subscribe same content on different machines (manually syncing list of sources)? If latter, you already doing manual synchronization of sources list. And you have another problem: you have to manually synchronize read/unread state, because I doubt you like to read same articles multiple times.

        I can tell you from my experience: reading while waiting for something or even walking on a sidewalk is an efficient way of spending time without wasting. Especially reading RSS ;-) But only if you don’t have to re-check these articles again when you’re in front of a big monitor.

        It’s possible to live without relying on any optional services, question is, does it worth it? Btw, it’s not just personal dilemma. Ever heard about “NIH syndrome”? :)

        P.S. This all does not include ensuring reliability and resilience, which costs a lot when doing alone. What happens when your storage medium dies?

      2. COMSEC said on August 29, 2016 at 6:12 pm
        Reply

        I do not need any server to create an .html page as I code a simple page with dark background and a list of links.

        I do not need twitter. I do not need facebook. Most social activities are useless blabbering and provocative, silly images.

        RSS does 90% of what I need at browser startup.

    2. SubgeniusD said on August 29, 2016 at 4:31 am
      Reply

      last good Opera was 12.x +1

    3. LogicDaemon said on August 28, 2016 at 12:05 pm
      Reply

      So you only have one computerised device in possession? Not using smartphone’ browser functions or anything?

      If you do have more than one browser, I bet you tend to use same web services on both.
      Assuming you’re not using any automated synchronization, if you do bookmarks, basically you selectively “sync” them manually (it’s not full sync, still you want some bookmarks be on both devices, but this is exactly what called synchronization). And even if you don’t use bookmarks, then you still synchronize browsers histories. Manually. Even if you use Tails and type addresses manually after each system start, at which point it becomes irrational.

      P.S. +1 for last good Opera btw. I miss Presto engine.

      1. COMSEC said on August 28, 2016 at 10:57 pm
        Reply

        I edit my own homepage with favourite links.

  5. Dave said on August 27, 2016 at 5:43 pm
    Reply

    Because it’s a TARGET. Why do people keep putting all their private stuff in the places that are the biggest targets for people who want to take that stuff? Sheesh.

    1. LogicDaemon said on August 28, 2016 at 11:59 am
      Reply

      Assumption is your question is wrong. Your logic is flawed.

      It’s not “people” selecting something vulnerable to put their data in.
      It’s something useful appears (whatever it is), people put their data in, and that’s when it becomes target.

      But if protection is done well, data there will be safer when in possession of owner (in an txt on desktop too often) – in all following quality attributes: Reliability, Availability, Serviceability, Usability.

      In other words, people outsource security because they’re not experts in that field. And this is rational decision.

      1. LogicDaemon said on August 28, 2016 at 12:28 pm
        Reply

        hm, I messed attributes (copy-pasted without reading what I copy).
        I meant confidentiality, integrity and availability.

  6. Dan said on August 27, 2016 at 5:14 pm
    Reply

    I am affected because I do use Sync to share passwords between devices. I’ll change the critical passwords (for merchant sites) but I’ll leave the others be. I don’t save passwords from any important account like Gmail, Amazon, Paypal, or Yahoo.

    1. LogicDaemon said on August 28, 2016 at 12:22 pm
      Reply

      funny thing is, when I migrated to Chrome I removed all my data from Opera and let it sync for the last time.
      Some time after that, Opera 12 denied to Sync. Then I removed my account, at least I thought so.

      But today I successfully reset my password (using nickname). Installed Opera (current one, Chromium-based, aka ChOpera), set up sync, and to my joy found there’s nothing: no bookmarks, no passwords (so all went fine). Clicked link to delete account *again*.

      Problem is that I can’t tell if they save data I “deleted”, so my accounts still may be compromised, but now I don’t have any way to check which ones.

  7. Croatoan said on August 27, 2016 at 2:18 pm
    Reply

    My default browser on my mobile phone is Opera. I use Opera sync only for sharing tabs with desktop pc. I am not particularly affected by this breach.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.