Germany based anti-virus provider MacKeeper has today leaked a database containing 13 million customer records, exposing sensitive information like customers’ names, internet addresses and login credentials. According to Forbes, the database was discovered by security researcher Chris Vickery who uncovered four IP addresses that took him straight to the database, containing a range of personal information, as well as software licenses and activation codes.
While MacKeeper is supposed to offer users extra security on their Apple Macs, it has failed to protect their personal data in more ways than one. Apparently all Vickery had to do was look for openly accessible MongoDB databases on the Shodan search tool. The source details that even the passwords were protected with a know-to-be-broken “hashing” algorithm. These algorithms take the plain text password and turn it into garbled letters and digits, using a one-way mathematical formula. If it’s easy to guess how they did so, passwords can be recovered.
According to Vickery, it appeared MacKeeper was using MD5 – long-known to be weak. There are a large number of MD5 cracking tools, all of which can figure out the weaker passwords (e.g. ’123456? or ‘password1?) in seconds. He said there was no “salt” either, which would add random characters to the password before it’s garbled by the hash algorithm, making cracking more difficult.
The company admitted to FORBES it was using MD5 but was in the process of upgrading to SHA512 . It will be resetting passwords too, but said the decision wasn’t connected to the leak, though it has spurred the company on to make changes.
Vickery revealed that when he attempted to disclose the problem to Kromtech, the owner of MacKeeper, over the phone, he was unable to get through, so he posted about the issues on Reddit, following which the company officially responded and acknowledged the leak.