Analecta Cyber Company Blog: OS X utility MacKeeper hacked: 21GB from 13 million accounts exposed

2015-12-22

OS X utility MacKeeper hacked: 21GB from 13 million accounts exposed

MacKeeper is a utility software suite specifically created for Mac OS X. It is a performance and security suite initially developed by Zeobit in 2009 but was sold to Kromtech Alliance Corporation in April 2013.



Last May, the company suffered from a zero-day vulnerability involving a security issue on its remote code execution. But they were able to immediately create a patch and fixed the flaw with a software update. And just a week ago, MacKeeper was again involved in a security flaw, this time involving a huge volume of sensitive user information.

A security researcher publicized on Reddit that by simply using a Shodan query on MacKeeper, he was able to gain access to sensitive account details of approximately 13 million users. This comprises of about 21 GBs of data, detailing the names, email addresses, usernames, password hashes, IP addresses, phone numbers, and other information from users.

According to the researcher, known by the name FoundTheStuff on Reddit, this huge amount of data was publicly available and can be accessed without working through security vulnerabilities. He also added that MacKeeper and the company who owns it have not created any form of security for all the exposed data.

Shodan is the search engine used by the hacker in unlocking the vast amount of sensitive account details. It is created for the purpose of finding servers, routers, network devices and other tools online. Someone knowledgeable in this type of search engine can find specific equipment by the manufacturer, function and even where they are located geographically. In the case of the Mackeeper breach, the security researcher added that he found four IP addresses leaking the data.

Weak password protection

Though MacKeeper’s passwords were encrypted, it was believed that they were using the weak MD5 hashes to protect the passwords. And this can be cracked by anyone in seconds just by using MD5 cracking tools.

The company released a statement informing its users that they have taken necessary measures to secure the database off from the open Internet and will continue further steps to protect the data from future cyber threats. They also added that there had been no evidence showing that the data was accessed, shared or used inappropriately by any malicious parties.

Despite the huge amount of data being exposed, the company confirmed that customer credit card and payment information, which was handled by a third party merchant, was never at risk.