MacKeeper discloses 13 million Mac users’ details with poor hash protection
Tue 15 Dec 2015
Mac security software suite MacKeeper is recovering after a hack leaked millions of users’ personal information.
Kromtech, the software developer, confirmed that it had received notice of the hack yesterday, discovering a hole in its security which was exposing customer usernames, email addresses and other personal data for as much as 13 million users. According to Kromtech, the hole was patched within a matter of hours after security researcher Chris Vickery had published details of the error on Reddit over the weekend.
The German developer assured customers that there was no evidence that the data had been accessed by malicious third parties.
‘Analysis of our data storage system shows only one individual gained access performed by the security researcher himself,’ said Kromtech in a statement posted yesterday. ‘We have been in communication with Chris and he has not shared or used the data inappropriately.’
Vickery, who had been unfamiliar with both MacKeeper and Kromtech, explained that he had discovered the security fault by browsing the connected devices search engine Shodan.io. In a moment of boredom, Vickery said he randomly entered a search for ‘port:27017’ – a default gateway for the database management system MongoDB.
The random search returned four separate IP addresses linked to Kromtech. These offered public access to stores of customer information without the need for username or password authentication.
‘The data was/is publicly available. No exploits or vulnerabilities involved. They published it to the open web with no attempt at protection,’ Vickery wrote in a Reddit post. He noted that Kromtech was alerted and was able to quickly patch the vulnerability.
Kromtech thanked Vickery with a ‘special Thank you […] for identifying the security breach attempt so that we could stop it before anyone was harmed.’
The company further assured customers that exposure of details was limited as it does not collect sensitive data such as payment information, which is held by a third party. ‘Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,’ read the statement. ‘The only customer information we retain are name, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.’
It is not clear how the hole came about, and Kromtech is yet to provide any comment explaining its occurrence.