MacKeeper Exposes Data on 13 Million Customers

[MacRumors]

Anti-virus company MacKeeper is making headlines today for its lax security on a customer database that contained 13 million customer records complete with names, email addresses, usernames, password hashes, phone numbers, IP address, and system information.

As shared in a reddit post, Chris Vickery (via Forbes) was able to download the records simply by entering an IP address, with no username or password required to access the data, a major security oversight on MacKeeper's part.

MacKeeper was also using MD5 hashes for passwords, a weak algorithm that's easily bypassed using an MD5 cracking tool. As Vickery says, MacKeeper (and parent company Kromtech) "appears to have no respect for the privacy of its users' data or the integrity of their information."

Vickery did not share details on the exploit and immediately contacted Kromtech about the oversight. Using Vickery's information, Kromtech secured the database after several hours, and nobody with malicious intent was reportedly able to get ahold of customer details. With the exploit fixed, Vickery explained how he accessed the data.

Here are some details (now that it's secured): The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed). I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random "port:27017" search on Shodan.

For those unfamiliar with MacKeeper, it is Mac software that purports to optimize a Mac and keep it secure from viruses and malware, tricking people into a purchase with unrealistic claims. Earlier this month, a class action lawsuit led to a $2 million settlement that will see MacKeeper providing refunds to customers who purchased the software and would like their money back.

Though MacKeeper says Vickery was the only person to access the information, MacKeeper customers should still change their passwords and passwords on sites that used the same password as the MacKeeper password.

Article Link: MacKeeper Exposes Data on 13 Million Customers

 

[iPhysicist]

Who could have thought of this? Me! God I really hate this product.

 

[Asarien]

Who didn't see this coming?

 

[Mac Fly (film)]

It's safe to say with the amount of money MacKeeper spend on advertising on the web they must be funded by either someone high up in the online porn industry or a large criminal organisation.

I'd love to see Apple become more involved in annihilating these guys off the map. People around here are quick to call someone dumb for installing this software, but the average person doesn't have time to hang out on MacRumors. Apple need to sort these guys out once and for all.

 

[larrylaffer]

The part of this story that shocks me is that 13 million fell for their scam.

 

[Brian Y]

If any company needs to not exist, it's them.

 

[Sirious]

Glad I never used it. Always looked like adware to me.

 

[johnalan]

What a vile company, their 'software' is malicious, doesn't surprise me one bit, glad I'm not one of their customers (read victims)

 

[keysofanxiety]

Disappointing, but unsurprising. MacKeeper has always been a useless scareware junk application. Hopefully this is a step towards the end of their company.

 

[techguy9]

The people that made accounts probably deserve their info to be hacked anyways.

 

[djgamble]

Wow they had 13 million suckers... I mean customers?!?!?

 

[ghost187]

Man, this just goes to show you the porn industry is where the money is at, lol.

 

[madcran]

Im glad, as a Service Manager for an Apple Specialist we tell people everyday not to use this. Some people fight us on this say they love it. We try to educate them that there are free alternatives like Malwarebytes Anti-Malware for Mac and Sophos Home for Mac that do not take over your Mac and are valid companies. Actually Malwarebytes (formally Adware Medic) sees MacKeeper as malware, CAUSE IT IS!

 

[TMRJIJ]

Why won't this company just go away?! Why!?!

 

[keysofanxiety]

Im glad, as a Service Manager for an Apple Specialist we tell people everyday not to use this. Some people fight us on this say they love it.

Preaching to the choir. It's insanely frustrating to witness. These are the users who see a snazzy looking GUI with loads of popups about "we've fixed 1000 problems on your Mac", and would argue to the death that it's a good application — despite having absolutely no knowledge on what it does or how it works.

 

[El Hikaru]

I am surprised to know that there are 13 million users. The program ad pops up annoyingly, and I thought it is a robot porn site.

 

[fitshaced]

I'd like to know when companies are going to be penalised for not offering what they sell in customer security. How many companies have now been exposed as having very weak security which exposes their customers private information? If govnerments want to start regulating the Internet, they need to start there.

 

[Mac Fly (film)]

The part of this story that shocks is that 13 million fell for their scam.

That number seems suspiciously large to me.

 

[zephonic]

Can you say cluster ****

 

[Mac Fly (film)]

Who didn't see this coming?

MacCraper.

 

[Fortimir]

I didn't know it was even a real program. All those pop-ups they advertise are so shady.

 

[bushido]

I am surprised to know that there are 13 million users. The program ad pops up annoyingly, and I thought it is a robot porn site.

me2! i had no idea people actually believe its a legit thing

 

[joelovesapple]

They deserve to burn on the fiery pit that is ransomware. I hate to see this junk ware still exists on my favourite computing platform.

 

[oneMadRssn]

That number seems suspiciously large to me.

I was thinking the same thing. I would believe 13 million installs occured over the entire lifetime of the product at some point, including running the trial or something, and thus each install counts as a unique user that in some way ended up in the database. But I highly doubt they had 13 million paying customers.

For comparison, Spotify today has 20 million paying customers, of about 75 million accounts.

 

[ArtOfWarfare]

The people that made accounts probably deserve their info to be hacked anyways.

Not so much that as the people with accounts probably already had their credentials stolen by some other means. Anyone dumb enough to sign up for Mac Keeper is probably dumb enough to fall for any random phishing attempt.

IE, just the other day I got a random call on my phone.

"Hi, I'm from tech support. I'm calling to help with your Windows computer. Are you the admin of your Windows computer?"

I stopped them there asking for more details (which they didn't provide) such as whose tech support. I don't doubt the next thing they would have asked for would have been some combination of my username, password, and email address.