We recently discovered that some information about Blur users was potentially exposed. We immediately took steps to investigate, respond, and work to prevent this from happening again.
We are communicating with you now about what happened, what information was involved, the steps we are taking, and the steps you can take, while also taking care not to compromise our security systems or processes.
On Thursday, December 13th 2018, we became aware that some information about Blur users had been potentially exposed and immediately began working to ensure our systems and data were secure, to determine what happened, and to inform and help our users. We have also retained a leading security firm to assist us and have notified law enforcement officials.
What Information was Involved
A file containing some information about Blur users from prior to January 6th, 2018 was potentially exposed. This file included the following information about Blur users who had registered their accounts prior to January 6th, 2018:
- Each user’s email addresses
- Some users’ first and last names
- Some users’ password hints but only from our old MaskMe product
- Each user’s last and second-to-last IP addresses used to login to Blur
- Each user’s encrypted Blur password. These encrypted passwords are encrypted and hashed before they are transmitted to our servers, and they are then encrypted using bcrypt with a unique salt for every user. The output of this encryption process for these users was potentially exposed, not actual user passwords.
Importantly, there is no evidence that our users’ most critical data has been exposed, and we believe it is secure. There is no evidence that the usernames and passwords stored by our users in Blur, auto-fill credit card details, Masked Emails, Masked Phone numbers, and Masked Credit Card numbers were exposed. There is no evidence that user payment information was exposed.
What We Are Doing
As a best practice, you should change your Blur password. If you use the same password you use on Blur on any other service, you should change those passwords to new unique passwords as well.
To change your password, click “edit” next to your password in your Blur Settings.
As always, we recommend you backup your Blur data before making any account changes. To backup your data, click “Export Data” from your Blur settings.
You should also take this opportunity to ensure your new Blur password is long, but something you can remember, and that you have your Blur backup passphrase as well.
For More Information
If you have any questions or need any help, you can contact us by email at firstname.lastname@example.org or by phone at (800) 928-1987 (press 2 at the prompt).
As a privacy and security focused company this incident is embarrassing and frustrating. These incidents should not happen and we let our users down. We apologize and are working very hard to ensure we respond quickly and effectively to this incident and make sure we do everything we can to not let anything like it happen again.
We remain committed to our mission of protecting your privacy and security. In particular we want to help you in a world where you can’t trust third parties with your unencrypted data. We do not have access to your most critical unencrypted data, including the usernames and passwords for your stored accounts, your autofill credit cards, and so on. As frustrated as we are right now, we are glad that we have taken that approach.