You may have heard about the crack of OneLogin, and that user’s accounts and logins were stolen. Apparently, attackers were able to access OneLogin’s systems and copy encrypted user data as well as the keys required to decrypt that data, giving them access to user’s passwords. (You can read OneLogin’s blog post on this topic.)
You may be wondering if your Blur data could be stolen the same way.
The answer is no — even if any data ever was stolen from our servers, your passwords are safe.
There’s a critical difference in how Blur protects your accounts and passwords compared to the way that OneLogin handles this data. OneLogin is not a password manager; it’s a single sign-on identity manager. This means that instead of creating usernames and passwords for each website, like Blur, you’d use your OneLogin username and password to login at each website. OneLogin is the repository of these credentials for all their users.
Instead, Blur lets you create unique passwords for each website. When your store your usernames and passwords with Blur they are encrypted with your master password. All of this data is encrypted on your device *before* any data is sent to our systems. Although we may have your encrypted data on our system to allow you to share your data across devices, your devices are the repository of your credentials.
Blur encrypts your passwords with a key that only you know — we never have it, so it can’t be stolen from us.
We don’t know what your master password is, and it’s not ever directly transmitted to us or stored on our systems. As a result, even if attackers were able to copy your encrypted data from our servers, we simply don’t have the keys required to decrypt your data. And since your data is