Security researcher claims to have downloaded sensitive data from 13M accounts of scamware app MacKeeper
As if conning people out of money for a piece of scamware that does nothing useful weren’t bad enough, a security researcher claims that extremely poor security has allowed him to access sensitive data for more than 13M MacKeeper accounts.
I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech […] stuff like names, email addresses, usernames, password hashes, computer name, ip address, software license and activation codes, type of hardware (ex: “macbook pro”), type of subscriptions, phone numbers and computer serial numbers.
Vickery, who posted a screenshot of the folder structure (below), said on Reddit that the server was completely unprotected.
Six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected […] No log in required at all.
The researcher also noted that while passwords were encrypted, the system used was extremely weak.
MD5 with no salt… so very weak hashing
Vickery says that he will reveal more details about how he was able to access the data after the company has secured it.
If you’re looking for genuine software to clean and speed up your Mac, check out our roundup.
Filed under: iOS Devices