Server-Rack

As if conning people out of money for a piece of scamware that does nothing useful weren’t bad enough, a security researcher claims that extremely poor security has allowed him to access sensitive data for more than 13M MacKeeper accounts.

I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech […] stuff like names, email addresses, usernames, password hashes, computer name, ip address, software license and activation codes, type of hardware (ex: “macbook pro”), type of subscriptions, phone numbers and computer serial numbers.

The data was accessed by white-hat researcher Chris Vickery, who previously exposed data breaches at MLB, ATP, Slipknot and a network of charter K-12 schools in California …

Vickery, who posted a screenshot of the folder structure (below), said on Reddit that the server was completely unprotected.

Six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected […] No log in required at all.

The researcher also noted that while passwords were encrypted, the system used was extremely weak.

MD5 with no salt… so very weak hashing

Vickery says that he will reveal more details about how he was able to access the data after the company has secured it.

If you’re looking for genuine software to clean and speed up your Mac, check out our roundup.

screenshot


Filed under: iOS Devices

Continue reading more about iOS Devices at 9to5Mac.

What do you think? Discuss "Security researcher claims to have downloaded sensitive data from 13M accounts of scamware app MacKeeper" with our community.