Software utility company MacKeeper, known for helping MacBook customers keep their “apples” soft and juicy and well-running, has now leaked 13 million user accounts to the Web in the latest vulnerability.
The exposure was discovered by security researcher Chris Vickery, who contacted MacKeeper at the time he discovered the vulnerability. According to MacKeeper, Vickery confirmed the data breach with MacKeeper and did not contact to nor talk with anyone else about the exposure of MacKeeper’s customer information. Vickery says that “The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night. I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick,” Vickery said about his find.
Without a Mac, then, how did Chris Vickery pull it off? Well, he went to a site called Shodan, which indexes every device that logs onto the internet (not just IP addresses, but actual MacBook devices and computers). While there, and with a little free time, he searched for ports that are insecure and don’t need a hacking method to infiltrate. Four addresses appeared on-screen, each of them belonging to MacKeeper parent company Kromtech. Vickery notified MacKeeper, and the company thanked him in its public announcement it made today:
MacKeeper account passwords are in the process of resetting. By that time part of our customers should have received an in-soft pop-up notification with easy-to-follow instructions how to set a new password. Don’t worry if you did not receive it yet, process takes time. Thank you for your patience, we will keep you updated!
Kromtech is aware of a potential vulnerability in access to our data storage system.
We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use. We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately,
the company wrote.
As for credit card and debit card information, MacKeeper says that it was all handled by a third party and, as such, wasn’t accessed in the data breach. While this is good to know, it also means that, with a second website handling such information, customers could be twice the victim in isolated hacking incidents. After all, British pub chain Wetherspoon wasn’t safe when the financial, email, address, and other information of customers was hacked into on a third-party webhosting site.
MacKeeper is currently providing new login information for its customers, but Chris Vickery is a hero for customers who would never even know their information was exposed on the Web to what could have been malicious hackers out to access and sell personal information on the black market. Being a security researcher is a hard job, but someone has to do it – for the security and peace of mind of consumers is always at risk.