Another Day, Another Hack: Details of 13 Million MacKeeper Users

If your company's database is reachable over the internet, it will be found.

Dec 15 2015, 3:00pm

Illustration: Che Saitta-Zelterman

Quite literally, everyday someone gets hacked. Whether that's a telecommunications company having its customer data stolen, or another chain of businesses being ripped for all the credit cards it processes, today one hack just seems to melt into another. I mean, the day just isn't complete without a fresh leak of the personal info of ten or so million users.

It's gotten to the point where there are just so many hacks, that you may have become desensitized to the sheer amount of data that has been pilfered away from the servers of companies. One million user accounts here, 4 million hashed passwords there. The mundanity of everyday data breaches is taking its toll.

That's why we're launching this new format: Another Day, Another Hack. We'll do short posts giving you what you need to know about the hack, so you can figure out whether your bank account, website logins or anything else might be at risk. Because, even if the hack might not be the most sophisticated, and as new data breaches fight for your attention, real people are still getting fucked over somewhere, and should know about it.

A database for Mac anti-virus software MacKeeper is in fact fully accessible from the internet, leaving the names, email addresses, usernames, hashed passwords, phone numbers, IP addresses and other information of 13 million users totally exposed.

As Forbes reports, Chris Vickery, a security researcher, found the database on the computer search engine Shodan.

MacKeeper offers a range of different services, and its website claims its products are used by "millions."

On top of the exposure of customer's personal details, the passwords were stored with the notoriously weak hashing algorithm MD5. Hashing is a method for storing data in a more secure form, or making sure that files haven't been altered or tampered with.

But researchers have warned about the pitfalls of MD5 for years, and passwords hashed with MD5 are commonly cracked.

"First of all, we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use," a spokesperson for MacKeeper told Motherboard in an email.

"We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately."

The lesson: Companies need to remember that if their systems are exposed, and can be reached publicly over the internet, they will be found. It really should go without saying, but databases containing personal information of customers should not be accessible to just about anybody with an internet connection.

Another day, another hack.