Skip to content
Naked Security Naked Security

Opera announces data breach: stored passwords stolen for 1.7M users

1.7M users of "Opera sync" were hit when crooks made off with encrypted passwords stored on the Sync servers.

Opera was once a proudly Norwegian browser that was different from the rest in more than just look and feel.

Most other browsers used one of three main core components: Microsoft’s, Mozilla’s or WebKit’s. (WebKit originated from Apple but has now diverged into separate development streams used in browsers like Apple’s Safari, and browsers like Google’s Chrome.)

But Opera had its own rendering engine, the complex heart of any browser that’s responsible for converting HTML source into a visible, clickable, usable web page.

Opera’s independence made it what you might slightly unkindly think of as the Fifth of the Big Four browser families after Microsoft Internet Explorer (and now Edge), Mozilla Firefox, Google Chrome (and its free cousin Chromium) and Apple Safari.

But in 2013, Opera abandoned its own browser core by switching to WebKit, and recently agreed to sell off the browser side of its business to a Chinese consortium for $600M.

Opera Sync

Opera offers a product called Opera sync: a convenient cloud-based service that keeps track of what do in Opera as you go along.

Apparently, 1.7M of Opera’s grand total of 350M browser users are signed up to the service.

If you jump from Opera on your laptop to Opera on your mobile phone, you’ll end up in the same place.

Not only your bookmarks and favourite sites get synced, but also your open tabs, browsing history and saved passwords.

In theory, you can close your laptop at work, jump on the bus to go home, open up your phone and carry on reading exactly where you left off.

Of course, this leaves more to go wrong in the case of a network intrusion, and unfortunately for Opera sync users, the company announced a breach late last week:

We wanted to let you know that in order to protect your Opera sync account we have reset your password. In order to continue to synchronize your data, you will have to go to the Opera sync service and make a new one.

The reason we have done this is because we detected an attack on some of our Opera sync servers. Our investigations are continuing but we believe some of our users’ passwords (that are still encrypted or securely hashed) and account information such as login names may have been compromised. As a precautionary measure, we have reset all of the Opera sync users’ passwords. In an abundance of caution, we also encourage you to change any passwords to third party sites that you have synchronized through the Opera sync service.

We’ve never been quite sure what “an abundance of caution” means, and in an ideal world, data breach notifications would avoid this tricky turn of phrase.

The implication here is that the company doesn’t think there is any risk of a knock-on effect caused by possibly-cracked Opera sync passwords…

…but it simply can’t be sure.

If that’s the case, then changing passwords on third-party sites could be considered a routine follow-up rather than an abundantly cautious one.

According to the breach notification:

  • Passwords for third-party sites saved in the Sync service are encrypted, presumably with a key that is only ever provided by you when needed, and thus that is never stored on disk in any form.
  • Passwords for the Sync service itself were hashed and salted, so they’d still need to be cracked by attackers before they could be used. (Opera really means salted and hashed, of course, because you add the salt first, before you start the hashing process.)

What to do?

Opera will require you to reset your password next time you login, so that’s a compulsory precaution that you need to to take whether you want to or not.

Additionally, we recommend that you follow the company’s “abundance of caution” advice and change any passwords that you entrusted to Opera’s service.

That’s because it’s hard to be sure, after a breach, exactly what was stolen, how widely the crooks were able to roam inside the network, and what they were able to figure out while they were inside.

So, in the absence of any details about how Opera encrypted the data it stored on your behalf, you can’t really rule out the possibility that the intruders were able to sniff out passwords for other networks while they were inside Opera’s.


4 Comments

“still encrypted _or_ securely hashed”
Hah. I didn’t know it was a multiple choice quiz…

I’ve not used Opera in a few years. It’s always been a decent browser–with a rabidly loyal following I might add–but it just always *felt* not quite natural to me. I used it alongside Firefox for a while (before FF became a memory leak playground) and never could get really comfy in it. In the name of not letting Google (via Chrome in my case) rule the world, maybe it’s time to give Opera another go–though I’ve never trusted any browser with the sync feature.

Reply

As explained, I think “encrypted” is for passwords you’ve saved in the password manager to replay later, and “hashed” is for the password to login to the Opera service itself.

Reply

yeah… sometimes I fire off a comment before finishing the article. Sometimes I should keep my mouth shut because my smart-assery finds itself far less smug when the answer is three paragraphs down.
heheh, at least no one can say I’m one of those stuffy types with no practice laughing at himself…

Reply

I use Opera mostly and this is the first I’ve heard of it – thanks guys, nice to be kept in the loop. Thanks naked security, at least you are looking after me.

Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to get the latest updates in your inbox.
Which categories are you interested in?
You’re now subscribed!