Security researcher Chris Vickery claims to have accessed sensitive data for over 13 million MacKeeper accounts. The white-hat researcher says the much-maligned Mac software maker’s extremely poor security allowed him to access the data.
Vickery, via 9to5Mac:
I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech […] stuff like names, email addresses, usernames, password hashes, computer name, ip address, software license and activation codes, type of hardware (ex: “macbook pro”), type of subscriptions, phone numbers and computer serial numbers.
Vickery has previously exposed similar data breaches at MLB, ATP, Slipknot and a group of charter K-12 schools in California. The researcher posted a screenshot of the folder hierarchy, (seen above), on Reddit, and said the server was completely unprotected.
Six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected […] No log in required at all.
Vickery also noted while the passwords were encrypted, the encryption the system used was weak: “MD5 with no salt… so very weak hashing.” He says he’ll reveal more about how he was able to easily access the data after the company has secured it.
(UPDATE: 12/1/15) – MacKeeper has secured the database, and as far as anyone can tell, no bad actors got access to the data. Now that the exploit has been fixed, Vickery has revealed how he accessed the data.:
Here are some details (now that it’s secured): The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed). I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random “port:27017” search on Shodan.
Although it appears that no customer info has gotten into the hands of the bad guys, MacKeeper customers should still change their login and password on the MacKeeper site, and on any sites where they used the same login and password as on the MacKeeper site.