Security Research Says he Downloaded Sensitive Data About 13M MacKeeper Users
Security researcher Chris Vickery claims to have accessed sensitive data for over 13 million MacKeeper accounts. The white-hat researcher says the much-maligned Mac software maker’s extremely poor security allowed him to access the data.
Vickery, via 9to5Mac:
I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech […] stuff like names, email addresses, usernames, password hashes, computer name, ip address, software license and activation codes, type of hardware (ex: “macbook pro”), type of subscriptions, phone numbers and computer serial numbers.
Vickery has previously exposed similar data breaches at MLB, ATP, Slipknot and a group of charter K-12 schools in California. The researcher posted a screenshot of the folder hierarchy, (seen above), on Reddit, and said the server was completely unprotected.
Six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected […] No log in required at all.
Vickery also noted while the passwords were encrypted, the encryption the system used was weak: “MD5 with no salt… so very weak hashing.” He says he’ll reveal more about how he was able to easily access the data after the company has secured it.