Industry sources are baffled by the lack of security protocol at MacKeeper after security researcher Chris Vickery discovered 13 million account records that were left exposed on a database server.
The researcher announced on Reddit that he discovered the user information during a Shodan query. “The data was/is publicly available,” he wrote. “No exploits or vulnerabilities involved. They published it to the open web with no attempt at protection.” The company stored 21 gigabytes of information on the server.
Kromtech Alliance, the German IT investment and development firm that owns MacKeeper, acknowledged the breach in a blog post. “We fixed this error within hours of the discovery,” the company wrote. “Analysis of our data storage system shows only one individual gained access performed by the security researcher himself.”
“Database servers are almost never meant to be exposed to the internet directly,” Joshua J. Drake, vice president of research at Zimperium Enterprise Mobile Security, told SCMagazine.com. He added, “It's a terrible best practice use that they broke.”
Kromtech acquired Mackeeper from ZeoBit in April 2013. In May 2014, a class-action suit was filed against ZeoBIT. The lawsuit was settled in May. Under the settlement terms ZeoBIT would put $2 million into a fund for those who want a refund.
“The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer's web admin account where they can manage subscriptions, support, and product licenses,” Kromtech wrote in the blog post.
“Making your credentials available on database servers is as dumb as hashing passwords with MD5,” Scott Petry, CEO of Authentic8, told SCMagazine.com. He said the details stored by MacKeeper included “all of the information that an attacker needs to launch a highly sophisticated phishing malware campaign.”
In an email obtained by SCMagazine.com, Christopher Ensey, chief operating officer of Dunbar Security Solutions, noted that it is “unlikely” that Vickery was the first and only individual to discover the database. “As a hacker, if you were to come up with a list of usernames, hashed passwords and email addresses there is only limited value,” Ensey wrote. “What makes them extremely valuable is when you have ‘context' for them.”
In an email obtained by SCMagazine.com, Christopher Ensey, chief operating officer of Dunbar Security, expressed frustration that MacKeeper used the MD5 algorithm to encrypt passwords on the database. “The industry has all but done away with MD5 due to serious security flaws, and this breach is a stark reminder that there are always vendors who are slow to adopt more secure processes and technologies,” he wrote. “It's great to hear MacKeeper is in the process of upgrading to SHA512, but this may be a case of too little, too late.”