Users of Opera’s online sync service are being forced to reset their passwords after the browser-maker revealed hackers may have obtained log-in credentials and other account information.
In a brief note, the Norwegian firm claimed it detected and quickly blocked the attack early last week.
It added:
“Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution…
In an abundance of caution, we have encouraged users to also reset any passwords to third party sites they may have synchronized with the service.”
The Opera sync service stores data including browsing history, favorite sites and passwords to improve the user experience when switching between devices.
Opera sought to play down the seriousness of the breach, claiming that total active sync users last month numbered fewer than 0.5% of its total user base of 350 million worldwide.
However, Centrify senior director, Corey Williams, argued that 1.7 million passwords could still have a major impact.
“Attackers will work hard to crack any server’s encryption and try these passwords across countless thousands of other sites, services, and apps,” he continued.
“Until we have something better than passwords protecting our accounts – something like multi-factor authentication – we will continue to see these breaches result in success for attackers, and losses for all of us.”
But Tod Beardsley, senior research manager at Rapid7, praised the browser maker for acting quickly to force a password reset.
“People with privacy concerns about syncing passwords across devices should investigate separate, standalone password managers that are purpose-built with security in mind,” he added.
“Browser-based storage for credentials is certainly convenient and better than reusing the same three to four passwords everywhere, but password managers are nearly always going to employ more secure designs and offer more secure features like random password generation and password expiration.”