Vickery said the MacKeeper data featured “names, email addresses, password hashes, IP address, software licence and activation codes, type of hardware (eg, “MacBook Pro”) and phone numbers”. “The only customer information we retain names, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses”. He was able to download 13 Million customer records by simply entering a selection of IP addresses, with no username or password required to access the data.
Advertisement
Dead in Apparent Road Rage Shooting on Oklahoma Highway
Authorities have not yet interviewed him to determine a motive, but they don’t suspect anyone was specifically targeted. The driver went into Washita County and then turned around, driving back into Custer County before the pursuit ended.
Chris Vickery, the researcher who reported the bug to Kromtech, didn’t even need to “hack” the instance, claiming to chance upon it and its contents using Shodan.io, a Google-like search service that scours the internet for devices rather than words and images.
Bettie Jones accidentally shot by Chicago police responding to domestic
Emanuel’s office said Monday the mayor is “cutting his family trip short” and will be back in Chicago on Tuesday afternoon. Amid growing protests over that case and other officer-involved shootings, the city’s police commissioner resigned.
Vickery tried to contact the company first but could not get through so he posted the issues on Reddit. “We do not collect any sensitive personal information of our customers”, the company said. “Analysis of our data storage system shows only one individual gained access … the security researcher himself”, said Kromtech. ‘We have been in communication with Chris and he has not shared or used the data inappropriately’. But, users’ payment information were “never at risk”, as it is processed by third-party merchants, the company said.
Google sets aside m in grants to boost security of Drive
Google Drive for Mac , Windows , Android , and iOS can help you quickly move your files and keep them all safe going forward. Google started to provide security research grants in 2015, and the million funding is more than it has offered before.
Vickery found the info with a simple search; there was no hacking involved and anyone who ran the search could have found it. The data wasn’t even protected by a password.
Kromtech did reply with a statement that it has taken steps to close the database off from the open Internet. This is all good news, but the fact that the company – which deals in computers – left such a large amount of data available to anyone is worrying. To make matters worse, MacKeeper used the notoriously unreliable MD5 algorithm to encrypt the passwords stored on their database, Rupani said.
Kromtech, which makes the software, acknowledged Monday that a hole in its security exposed the usernames, email addresses and other personal information for 13 million customers.
Vickery had performed a search for database servers that are both open to external connections and don’t require authentication. Its original owner, the Ukrainian firm ZeoBIT, which began selling MacKeeper in 2010, paid $2 million this past August to settle a class-action lawsuit over aggressive marketing practices that allegedly tricked users into spending $40 each to upgrade from the free version.
Advertisement
Chris Vickery provided this screenshot on Reddit as proof that he had accessed MacKeeper databases online.
