At Opera, we strive to be open, and we want to continue this tradition, by sharing with you what happens here. High profile companies like Opera are under continuous attack by hackers trying to break into their systems, and we want to tell you about an incident some weeks ago.

This incident involves the same hackers as have tried to attack us before. Before they were thrown out last time, they had managed to gain access to an account with limited access, which went undetected through our system reviews afterwards. A few weeks ago, they logged into this account, and tried to use it to spread malware. Most of their attempts were unsuccessful, but they eventually successfully managed to change some fields in a database. We have since completed exhaustive scans of our systems, and are now ready to share the details with you.

The end result was that for new installations of old Opera 12 versions, on pristine Windows environments without Flash installed, if users browsed videos and accepted Opera’s suggestion to install Flash for them, they might have ended up getting malware instead. The misbehaving server was taken offline as soon as we were able to sort the details out, and the total impact appears to have been extremely limited. We know of 2 users who were affected, although we expect there might be more. The malware would immediately have locked the computer, asking the user to pay money to unlock it – a common malware tactic – so any affected users would have noticed as soon as they attempted to install Flash.

The attack was quickly halted, and no further users can be affected. The overlooked account has since been cleared out, and we will continue to review our systems to curb this sort of attack in future. At Opera we are working hard to provide excellent security, and we take incidents such as this extremely seriously. We are continuously working to improve and learn from any mistakes, and we can assure you that we have learned a lot lately. We are cooperating with law enforcement agencies, and expect the hackers too will have to learn new skills soon. However, life at a company like Opera means that such attacks will not stop any time soon, and we will remain vigilant against any new intrusion attempts.

Back to top
  • Vux777

    At Opera we are working hard to provide excellent security, and we take incidents such as this extremely seriously.

    and you notify users couple of weeks after that incident happened? -,-
    same thing was with certificate hack month (or two) ago…

    • At least they don’t try and hide the incident.

    • Sigbjørn Vik

      No further users were in danger, and any affected users already knew, so there was no urgency in contacting users. If this had been urgent, we would certainly have made this post earlier. As it was, ensuring the safety of our systems had the topmost priority, and we could not elevate the priority of this blog post above this task. Before making a post which involves multiple departments, we want to be absolutely certain we get all the details right. Mistakes with the details could have a damaging effect on the company, so there are a lot of processes to go through. Unless the post is pushed through these processes with maximum urgency, they do take time. Our apologies if you feel it took too long.

  • Thanks for sharing.

  • Michael A. Puls II

    Thanks for sharing.

    ” but they eventually successfully managed to change some fields in a database.”

    Was that because the account had privileges to change those fields or some script that they were able to execute with that account didn’t check/escape some query data that was submitted and they were able to execute to DB commands?

    • Sigbjørn Vik

      Neither really. Once you have an access into a system, the attack surface and number of possible attacks to go further becomes much greater. As the post says, they tried a number of different things, I am sure those two were among the first they tried, but that was not how they gained access to the DB table in question. Unfortunately I cannot go into details.

  • Chas4

    :Knight: My guess is that the hackers are targeting Opera users where there is a high browser usage