MacKeeper User Database an Open Book

Thirteen million MacKeeper user records were found in a publicly accessible database.

A trove of MacKeeper user data—some 13 million records—has been locked down after a researcher found an exposed and accessible database using a simple Shodan query.

Chris Vickery revealed his discovery on Monday on Reddit in more of an appeal to reach officials at Kromtech, the parent company that owns MacKeeper, a suite of performance and security utilities for Mac OS X. Kromtech did reply with a statement that it has taken steps to close the database off from the open Internet.

“We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself,” Kromtech said in its statement. “We have been in communication with Chris and he has not shared or used the data inappropriately.”

Vickery said he found four IP addresses leaking the data.

“The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances (as some have already guessed),” Vickery said. “I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random “port:27017″ search on Shodan.”

Shodan is a search engine created for the purpose of finding servers, routers, network devices and more that sit online. Users—researchers or hackers—can filter searches to find specific equipment by manufacturer, function and even where they’re located geographically.

Vickery wrote throughout the Reddit thread that the database in question was configured for public access, meaning no login was required. The information available included names, phone numbers, email addresses, usernames, password hashes, computer names and serial numbers, IP address details, software license and activation codes, type of hardware and MacKeeper subscription type.

MacKeeper said in its statement that payment card data is processed by a third party and was not on the same database, nor is it stored on its servers.

Vickery said on Reddit that the passwords were hashed using MD5, an outdated encryption algorithm, and that they were not salted. Salting a password hash involves adding randomized data that slows down brute force attacks.

MacKeeper, meanwhile, said it will launch a “comprehensive internal review” of the incident, and refine its security measures. There may be more than a few skeptics of MacKeeper’s promises, however. The product is known more for its invasive pop-under ads promising users that the product will help speed up and secure OS X machines. Some users who have wished to remove MacKeeper from their machines found it to be treacherous going, unlike most apps in the Apple ecosystem which can be made to disappear by just dragging them to the trash.

This is the second major security story surrounding MacKeeper; the first was in May when the company patched a zero-day remote code execution vulnerability. The flaw was in MacKeeper’s handling of custom URLs. An attacker who could trick a user into visiting a site hosting an exploit could ultimately run code on the vulnerable computer.

Suggested articles

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.