Update: Kromtech has acknowledged the breach, stating that “analysis of our data storage system shows only one individual gained access performed by the security researcher himself.” It says that payment information is processed by a third-party company and is not stored by the company. “The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”
As if conning people out of money for a piece of scamware that does nothing useful weren’t bad enough, a security researcher claims that extremely poor security has allowed him to access sensitive data for more than 13M MacKeeper accounts.
I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech […] stuff like names, email addresses, usernames, password hashes, computer name, ip address, software license and activation codes, type of hardware (ex: “macbook pro”), type of subscriptions, phone numbers and computer serial numbers.
Vickery, who posted a screenshot of the folder structure (below), said on Reddit that the server was completely unprotected.
Six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected […] No log in required at all.
The researcher also noted that while passwords were encrypted, the system used was extremely weak.
MD5 with no salt… so very weak hashing
Vickery says that he will reveal more details about how he was able to access the data after the company has secured it.
If you’re looking for genuine software to clean and speed up your Mac, check out our roundup.