Researcher Accesses Details Of 13m Mackeeper Users

A security researcher has managed to access to the personal details of 13 million users of MacKeeper – a widely advertised application which, among other things, promises to improve the security of Macs.

Chris Vickery said he downloaded the database through a search of the Shodan.io engine, which indexes anything connected to the Internet.

Kromtech, the developer of MacKeeper, was not a specific target, and the information was discovered via a search of ‘Port 27017’ for publicly accessible MongoDB databases.

MacKeeper hack

Vickery said he had difficulty finding anyone at Kromtech to inform them of the situation, but was eventually contacted by the company which now says it has secured the situation. It says it is grateful to Vickery, but has stressed no payment details were accessed and that no details were stolen by a malicious actor.

“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.

“Our customer’s private information and data protection is our highest priority.  All customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers.

“We do not collect any sensitive personal information of our customers. The only customer information we retain are name, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

Some security experts have criticised MacKeeper’s ‘aggressive’ marketing strategy of pop-up advertising and have likened it to scareware. MacKeeper was sued in 2014 for allegedly telling users that non-existent problems were found on their systems in order to coerce them into buying the program.

Earlier this year, researchers discovered a ‘critcal’ vulnerability in the controversial program that could allow an attacker to take over a system if a user visited a specially crafted webpage.

Are you a security pro? Try our quiz!

Steve McCaskill

Steve McCaskill is editor of TechWeekEurope and ChannelBiz. He joined as a reporter in 2011 and covers all areas of IT, with a particular interest in telecommunications, mobile and networking, along with sports technology.

Recent Posts

X’s Community Notes Fails To Stem US Election Misinformation – Report

Hate speech non-profit that defeated Elon Musk's lawsuit, warns X's Community Notes is failing to…

1 day ago

Google Fined More Than World’s GDP By Russia

Good luck. Russia demands Google pay a fine worth more than the world's total GDP,…

1 day ago

Spotify, Paramount Sign Up To Use Google Cloud ARM Chips

Google Cloud signs up Spotify, Paramount Global as early customers of its first ARM-based cloud…

2 days ago

Meta Warns Of Accelerating AI Infrastructure Costs

Facebook parent Meta warns of 'significant acceleration' in expenditures on AI infrastructure as revenue, profits…

2 days ago

AI Helps Boost Microsoft Cloud Revenues By 33 Percent

Microsoft says Azure cloud revenues up 33 percent for September quarter as capital expenditures surge…

2 days ago