Ow. That's really, really bad.<p>Opera is already a pretty small actor so stuff like this probably hurts them more than the bigger guys. This incident will probably show in the bottom-line later on.<p>Hope they get their things sorted out, and I really hope they learn enough to avoid having anything like this happening in the future. Things like this are never OK if there is a second time around.
The article claims the official story is unclear, but I disagree. As a potential customer, I've learnt everything I need to know to protect myself from vulnerabilities. (Though the inner hacker would like to hear how their infrastructure was compromised and whether it can have any effect on related services, such as Fastmail.)<p>Opera also states the security breach has been handled on their end, so I see nothing wrong with the announcement's title either.<p>It would be unfortunate if the situation got out of hand, with recent fundamental changes to their browser, Opera now needs 100% focus to stay competitive.
Official announcement: <a href="http://my.opera.com/securitygroup/blog/2013/06/26/opera-infrastructure-attack" rel="nofollow">http://my.opera.com/securitygroup/blog/2013/06/26/opera-infr...</a>
There's another possibility: Maybe opera has an internal service that accepts software uploads and automatically signs them. That way an attacker might have spread malware without having stolen the certificate.
"...may automatically have received and installed the malicious software..."<p>That is nice. Automatic installation of malware. It's the way to go :)
So should I trust the update that apt-get shows me? There is a 12.16.1760 in the deb.opera.com repository while the opera main page gives a download for version 12.15!
The signing keys are the weakest link in the security infrastructure and are essentially the keys to the kingdom. We have seen this happen repeatedly, I think it's time for all companies to build a lot of safeguards around the use of their private signing keys, like making employees input it manually everytime, or even split it across multiple employees. For Opera at least, I don't think they do releases that frequently.