MacKeeper Hack Exposes 13M Accounts

Shutterstock

A suite of software designed to keep Apple’s Mac computers safe and secure is now under fire for exposing the personal information of millions of Mac owners after a recent data breach.

MacKeeper announced on Tuesday (Dec. 14) that security researcher Chris Vickery identified a security vulnerability that permitted unauthorized access to the company’s data storage system.

“All customer credit card and payment information is processed by a third-party merchant and was never at risk,” MacKeeper confirmed in a security advisor statement on its website.

“The only customer information we retain are name, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer’s Web admin account where they can manage subscriptions, support and product licenses,” the statement continued.

MacKeeper said the vulnerability was addressed within hours of discovery and that it plans to launch a comprehensive internal review to determine if any additional security measures need to be taken.

In a post on Reddit, Vickery explained how he was able to download the sensitive account details of more than 13 million users.

“The data was/is publicly available,” Vickery wrote in the thread. “No exploits or vulnerabilities involved. They published it to the open web with no attempt at protection.”

Kromtech, the German-based company that owns MacKeeper, said it saw no evidence there was malicious access to the data but ensured that the exposure was limited.

“Entering the MongoDB database via four IP addresses, which didn’t require a username or password to access, leaves you to wonder just how many of these ‘open doorways’ exist on the Web just waiting for a curious hacker to discover,” Kunal Rupani, principal product manager at cloud solutions company Accellion, told CNET.