Kromtech, the makers of MacKeeper, a popular suite of software that claims to make Macs more stable and secure, has acknowledged a breach that exposed the user name, email address, passwords and other information of its 13M users.
Credit goes to Chris Vickery, a security researcher who found the flaw while browsing search engine Shodan.io. He said that the flaw appeared as the result of a random search for “port: 27017”, a default gateway for database management system MongoDB. Vickery first published about the breach on Sunday evening on Reddit.
Kromtech thanked Vickery for identifying this issue. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately,” Kromtech wrote in a blog post.
The company also said that the only information retained in their database are customer name, products ordered, license information, public IP address and the user credentials. No payment information has been compromised, they assured.
“All customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers.”
There was another security issue. A know-to-be-broken “hashing” algorithm was protecting the passwords. Using a one-way mathematical formula these algorithms take a plain text password and turn it into distorted letters and digits. MacKeeper admitted that they were using MD5, which is long-known-to be weak but was in a process of upgrading to SHA512. The company also said that they are going to reset their passwords soon.
There have been several security issues these days that became very scary. Recently a security flaw has been found on an internet connected Barbie doll that could allow the hackers to spy on you.