Opera has confirmed that hackers broke into the company's sync servers, exposing users passwords. Opera Software is advising all users of the sync feature of its Opera browser to change their passwords following a security breach. Details are a little scant at the moment. The company says that servers were breached earlier in the week. User data may have been compromised.
Opera Sync is used to synchronize user data between different computers but it is apparently used by under "0.5% of the total Opera user base". Opera is quick to note that the majority of its 350 million users won't be affected, since most don't use sync. This still leaves about 1.7 million active users at risk. There are likely more inactive users who are storing useful passwords. Opera’s synchronization feature allows people to work across desktop, mobile, and tablet devices. The company said that its servers were attacked recently and it “quickly blocked” those attacks. It believes passwords and account information of some of its sync users may still have been compromised.
The company has reset password for all the Opera sync accounts. It is urging users to change the password on third-party services if they were linked to Opera sync. The feature allows people to save login information of other services across devices. Opera has assured that all the credentials saved via sync feature are hashed and salted. So even if the data was breached it would be difficult for hackers to scramble and make sense of it.
In a statement on the Opera Security blog, Tarquin Wilton-Jones says:
Earlier this week, we detected signs of an attack where access was gained to the Opera sync system. This attack was quickly blocked. Our investigations are ongoing, but we believe some data, including some of our sync users' passwords and account information, such as login names, may have been compromised.
Although we only store encrypted (for synchronized passwords) or hashed and salted (for authentication) passwords in this system, we have reset all the Opera sync account passwords as a precaution.
We have also sent emails to all Opera sync users to inform them about the incident and ask them to change the password for their Opera sync accounts. In an abundance of caution, we have encouraged users to also reset any passwords to third party sites they may have synchronized with the service.
To obtain a new password for Opera sync, use the password resetting page.
The total active number of users of Opera sync in the last month is 1.7 million, less than 0.5% of the total Opera user base of 350 million people.
The remaining Opera browser users who do not use Opera sync, do not need to take any actions.
We take your data security very seriously, and want to sincerely apologize for the inconvenience this might have caused.
If you’re an Opera user, and you’re worried about what might have been stored on Opera’s servers. You’ll need to first reset your password, then log in. Next, you’ll want to visit Opera’s sync page. There, Opera will show you what–if any–data was stored there.
Why this matters: This summer, Opera accepted an acquisition offer from a consortium of Chinese companies, including Beijing Kunlun Tech and Qihoo 360 Software. That’s going to make some parties nervous already, even before the breach. Opera’s an excellent browser, especially after the company has added features like an integrated VPN and native ad blocking. But the breach isn’t going to do much to raise its niche status.