Opera announces data breach: stored passwords stolen for 1.7M users

Opera was once a proudly Norwegian browser that was different from the rest in more than just look and feel.

Most other browsers used one of three main core components: Microsoft’s, Mozilla’s or WebKit’s. (WebKit originated from Apple but has now diverged into separate development streams used in browsers like Apple’s Safari, and browsers like Google’s Chrome.)

But Opera had its own rendering engine, the complex heart of any browser that’s responsible for converting HTML source into a visible, clickable, usable web page.

Opera’s independence made it what you might slightly unkindly think of as the Fifth of the Big Four browser families after Microsoft Internet Explorer (and now Edge), Mozilla Firefox, Google Chrome (and its free cousin Chromium) and Apple Safari.

But in 2013, Opera abandoned its own browser core by switching to WebKit, and recently agreed to sell off the browser side of its business to a Chinese consortium for $600M.

Opera Sync

Opera offers a product called Opera sync: a convenient cloud-based service that keeps track of what do in Opera as you go along.

Apparently, 1.7M of Opera’s grand total of 350M browser users are signed up to the service.

If you jump from Opera on your laptop to Opera on your mobile phone, you’ll end up in the same place.

Not only your bookmarks and favourite sites get synced, but also your open tabs, browsing history and saved passwords.

In theory, you can close your laptop at work, jump on the bus to go home, open up your phone and carry on reading exactly where you left off.

Of course, this leaves more to go wrong in the case of a network intrusion, and unfortunately for Opera sync users, the company announced a breach late last week:

We wanted to let you know that in order to protect your Opera sync account we have reset your password. In order to continue to synchronize your data, you will have to go to the Opera sync service and make a new one.

The reason we have done this is because we detected an attack on some of our Opera sync servers. Our investigations are continuing but we believe some of our users’ passwords (that are still encrypted or securely hashed) and account information such as login names may have been compromised. As a precautionary measure, we have reset all of the Opera sync users’ passwords. In an abundance of caution, we also encourage you to change any passwords to third party sites that you have synchronized through the Opera sync service.

We’ve never been quite sure what “an abundance of caution” means, and in an ideal world, data breach notifications would avoid this tricky turn of phrase.

The implication here is that the company doesn’t think there is any risk of a knock-on effect caused by possibly-cracked Opera sync passwords…

…but it simply can’t be sure.

If that’s the case, then changing passwords on third-party sites could be considered a routine follow-up rather than an abundantly cautious one.

According to the breach notification:

  • Passwords for third-party sites saved in the Sync service are encrypted, presumably with a key that is only ever provided by you when needed, and thus that is never stored on disk in any form.
  • Passwords for the Sync service itself were hashed and salted, so they’d still need to be cracked by attackers before they could be used. (Opera really means salted and hashed, of course, because you add the salt first, before you start the hashing process.)

What to do?

Opera will require you to reset your password next time you login, so that’s a compulsory precaution that you need to to take whether you want to or not.

Additionally, we recommend that you follow the company’s “abundance of caution” advice and change any passwords that you entrusted to Opera’s service.

That’s because it’s hard to be sure, after a breach, exactly what was stolen, how widely the crooks were able to roam inside the network, and what they were able to figure out while they were inside.

So, in the absence of any details about how Opera encrypted the data it stored on your behalf, you can’t really rule out the possibility that the intruders were able to sniff out passwords for other networks while they were inside Opera’s.