Researcher Accesses Details Of 13m Mackeeper Users

A security researcher has managed to access to the personal details of 13 million users of MacKeeper – a widely advertised application which, among other things, promises to improve the security of Macs.

Chris Vickery said he downloaded the database through a search of the Shodan.io engine, which indexes anything connected to the Internet.

Kromtech, the developer of MacKeeper, was not a specific target, and the information was discovered via a search of ‘Port 27017’ for publicly accessible MongoDB databases.

MacKeeper hack

Vickery said he had difficulty finding anyone at Kromtech to inform them of the situation, but was eventually contacted by the company which now says it has secured the situation. It says it is grateful to Vickery, but has stressed no payment details were accessed and that no details were stolen by a malicious actor.

“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.

“Our customer’s private information and data protection is our highest priority.  All customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers.

“We do not collect any sensitive personal information of our customers. The only customer information we retain are name, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

Some security experts have criticised MacKeeper’s ‘aggressive’ marketing strategy of pop-up advertising and have likened it to scareware. MacKeeper was sued in 2014 for allegedly telling users that non-existent problems were found on their systems in order to coerce them into buying the program.

Earlier this year, researchers discovered a ‘critcal’ vulnerability in the controversial program that could allow an attacker to take over a system if a user visited a specially crafted webpage.