Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)

MacKeeper: 13M Customers' Details Exposed

Shodan Search Reveals More Poorly Secured Account Data
MacKeeper: 13M Customers' Details Exposed
Pictured: MacKeeper's robot mascot.

An information security researcher warns that he was able to find online "sensitive account details" relating to a heavily marketed - and controversial - application called MacKeeper.

See Also: Gartner Market Guide for DFIR Retainer Services

"I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech [Alliance]," Texas-based information security researcher Chris Vickery says in a Dec. 14 post to news website Reddit, referring respectively to MacKeeper's previous and current owners.

"I'm having no luck reaching Zeobit or Kromtech to notify them," he adds. "Does anyone have a good contact within either company that can confirm or deny that they control a certain IP address and server? And maybe also can secure this freaking thing before someone malicious gets it?"

Kromtech Alliance reacted quickly to the Reddit warning, issuing a security advisory the same day that thanks Vickery and reports that there are no signs that the exposed data had been misused. "We fixed this error within hours of the discovery," it says. "Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately."

Kromtech adds: "Our customer's private information and data protection is our highest priority."

Customer Information Exposed

Vickery says he found the exposed customer information while doing random searches using Shodan, a search engine that's designed to find specific types of Internet-connected devices and configurations. "The search engine at Shodan.io had indexed their IPs as running publicly accessible MongoDB instances," Vickery says in a Reddit post. "I had never even heard of MacKeeper or Kromtech until last night. I just happened upon it after being bored and doing a random 'port:27017' search on Shodan."

Kromtech says that the customer information that was exposed included a customer's name, username, public IP address, list of products they've ordered as well as a hashed password for accessing their customer account. The company adds that all credit card and payment information is handled by a third party, and so was not at risk.

On the encryption front, using a purpose-built hashing algorithm such as bcrypt can make it nearly impossible for information that has been passed through the hashing algorithm - thus generating a unique hash - to be cracked.

But Vickery warns that the Kromtech customers' passwords appeared to be hashed using "MD5 with no salt ... so very weak hashing." As a result, attackers could generate rainbow tables, which are pre-computed tables that can be used to reverse unsalted cryptographic hash functions and thus easily crack passwords (see We're So Stupid About Passwords: Ashley Madison Edition).

Controversial Software

MacKeeper is a collection of utilities that get bundled together. In June 2014, for example, owner Kromtech Alliance announced that it would include Avira's antivirus software for Apple OS X antivirus software.

But the software has historically been the focus of much criticism, as exemplified in a "Do Not Install MacKeeper" January 2014 post to Apple's official support community, which alleged that the software had been "unethically marketed," could install itself without permission and that it monetized capabilities that were available for free.

Likewise, in response to Vickery's Dec. 14 Reddit post, another user claimed: "MacKeeper has been known for a while to be a complete sham. I work in tech support. When someone contacts us and says they have MacKeeper installed, we tell them to delete it immediately."

MacKeeper - as well as PCKeeper - were developed by Sunnyvale, Calif.-based ZeoBit. But the software was acquired in April 2013 by a new consortium registered in the British Virgin Islands called Kromtech Alliance, which lists its headquarters as being in Cologne, Germany. The new entity reportedly hired a number of Ukraine-based employees who had been maintaining ZeoBit's products and has a management team based in the Ukraine that includes people who were previously responsible for advertising and marketing the software while it was owned by ZeoBit.

MacKeeper Class Action Lawsuit

MacKeeper was the focus of a class-action lawsuit - Yencha v. Zeobit - filed in May 2014, alleging that "Zeobit deceptively advertised and sold MacKeeper software as capable of enhancing an Apple Macintosh computer's speed, performance, and security by detecting and eliminating harmful errors and threats, but that it does not and cannot perform all of the functions advertised."

Zeobit denied any wrongdoing or liability, and has now settled the lawsuit. Under the terms of the settlement agreement proposed in May and granted by U.S. District Court Judge Joy Flowers Conti in November, "Zeobit will deposit $2 million into a fund to reimburse past customers, pay attorney fees, and also advertise on Facebook to let potential users know they can file for a refund," Kromtech says. The refund is a one-time payment of $39.95, and anyone in the United States who purchased the software before July 9, 2015, can apply.

"Kromtech Alliance, as new owners of MacKeeper, welcome this closure so that we can move forward with our own development of the brand and the offering," Kromtech says in a blog post. "Kromtech Alliance was not involved in the lawsuit in any way."

Medical Data Breach

This isn't the first time that Vickery has found customer data being stored insecurely online. In September, he reported about Larkspur, Calif.-based Systema Software, which develops Web-based claims management software that's used in part for logging workers' injury claims. He warned that the software developer was storing related information insecurely on Amazon Web Services, and that he was able to access what appeared to be information on at least 1.5 million people, including names and contact information, plus about 1 million Social Security numbers, hundreds of thousands of injury reports, as well as bank account and routing information. News of the breach was first reported by DataBreaches.net, but only after Vickery had alerted Systema Software and it had fixed the flaw.

In a statement, Systema Software said it was working to secure the data, that it had launched a related digital forensic investigation and that it had "no indication that any data has been used inappropriately."

Charter School Breach

In just the past two weeks, meanwhile, Vickery claims via Reddit that he's found, in total, "approximately 25 million exposed accounts' details for various sites and services. He says that includes not just MacKeeper, but also unsecured databases maintained by software firm Vixlet, which provides social networking sites for numerous organizations, including for U.S. Major League Baseball via its MLB.com site.

On Dec. 12, Vickery - again working with DataBreaches.net - also warned that information relating to 58,694 students of California Virtual Academies, or CAVA, which is a group of 11 publicly funded K-12 charter schools, was being stored in an online database in plaintext. The unencrypted information reportedly also included information on students with disabilities and special-education needs, as well as payroll information - including Social Security numbers - that appeared to relate to about 17,000 employees, he says.

Neither CAVA nor its education and technology provider, K12, immediately responded to a request for comment. But K12 spokesman Jeff Kwitowski told DataBreaches.net that although K12 was not responsible for securing CAVA's database, it worked with the network to confirm the leak and lock the database down, prior to Vickery detailing the flaws publicly. "Data security is paramount," Kwitowski said. "K12 and CAVA will continue to investigate, collect more information, and notify affected individuals as needed."

No mention of the breach yet appears on either CAVA or K12's websites or social media channels.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.