In a blog post, Opera said all 1.7 million users of Opera Sync are affected. It’s a substantial number but it represents only 0.5% of Opera’s overall user base of 350 million people. Opera users who do not use Sync do not need to take any action and can continue to browse the web as normal.
Opera Sync is a service built into Opera that allows users to synchronise data between different browser installations. All the leading browsers, Google Chrome, Mozilla Firefox and Microsoft Edge, include a similar system. Synchronised data includes favourites, browsing history and stored sign-in credentials for third-party websites.
In a worst case scenario, attacking Opera Sync could give attackers access to account details used for other services, such as email and banking. Opera said it does not believe that synchronised passwords have been stolen. However, it is encouraging users to reset their passwords for third party sites stored on Opera Sync “in abundance of caution.”
According to the company, the attack was first detected early last week. It was then quickly blocked. The company believes that some user data, including account information and Opera Sync passwords, may have been compromised in the attack.
Passwords are hashed and salted which may prevent attackers from using them. Opera hasn’t revealed the hashing algorithm used though so its strength remains unknown. Weaker hashes can be reversed with relative ease in short amounts of time.
“Earlier this week, we detected signs of an attack where access was gained to the Opera sync system,” Opera said on Friday. “This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users’ passwords and account information, such as login names, may have been compromised.”
Opera has contacted every Sync user via email. In the message, the company explained what has happened and the action that now needs to be taken. All Opera Sync passwords have been invalidated. To restore access to the service, users will need to create a new password by using the Password Reset menu within Opera. Users should pick a strong password and avoid reusing their old one again.
While Opera claims that passwords for third-party services have not been compromised, the incident highlights the risk of using centralised cloud-stored password repositories. Heavy Opera users who run the browser across multiple devices will appreciate the convenience of the feature. However, trusting passwords protecting all your online services to a single third-party server could allow hackers to access the entire lot.
There’s no easy solution and it’s a problem all the major browser vendors face, alongside online password repositories such as LastPass. These services could store hundreds of passwords for each user, protected by a single master key. Opera said it takes data security “very seriously” and apologised for any inconvenience caused to its users. However, it hasn’t said how it will avoid the incident occurring again in the future.
