Opera Browser Sync Service Hacked

Following the news that Opera, the Norway-based internet browser maker, has confirmed that a hacker breached one of the company’s sync servers, potentially exposing passwords, IT security experts from Rapid7 and Centrify commented below.

Corey Williams, Senior Director, Products and Marketing at Centrify:

“The potential payoff of 1.7 million passwords could be huge.  Attackers will work hard to crack any server’s encryption and try these passwords across countless thousands of other sites, services, and apps.  Until we have something better than passwords protecting our accounts – something like Multi-factor Authentication — we will continue to see these breaches result in success for attackers, and losses for all of us.

Knowing that 2/3 of consumers are ‘likely’ to stop doing business with a hacked organisation, it may mean turbulent waters for Opera in the months to come.”

Tod Beardsley, Senior Research Manager at Rapid7:

“Opera’s move to force reset all their users’ passwords is an excellent step to get users back to a normal state of security. It’s a step that many breached organisations don’t take, at least in part due to a concern for user convenience; Opera should be applauded for taking this breach seriously and acting quickly.

While Opera has not gone public with the implementation details of how shared passwords are stored, cryptographic best practices state that it shouldn’t matter to the defender if the attacker knows how secrets are kept; the only secret part should be the decryption key. Regardless, Opera developers reported in 2015 that they’re using the Nigori protocol for password encryption, according to this developer blog post..

People with privacy concerns about syncing passwords across devices should investigate separate, standalone password managers that are purpose-built with security in mind. Offerings from 1Password, LastPass, and other password management vendors tend to be open about critical implementation details, which is an important feature of best cryptographic practices. Browser-based storage for credentials is certainly convenient and better than reusing the same three to four passwords everywhere, but password managers are nearly always going to employ more secure designs and offer more secure features like random password generation and password expiration.”