Update: Kromtech has acknowledged the breach, stating that “analysis of our data storage system shows only one individual gained access performed by the security researcher himself.” It says that payment information is processed by a third-party company and is not stored by the company. “The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

As if conning people out of money for a piece of scamware that does nothing useful weren’t bad enough, a security researcher claims that extremely poor security has allowed him to access sensitive data for more than 13M MacKeeper accounts.

I have recently downloaded over 13 million sensitive account details related to MacKeeper, Zeobit, and/or Kromtech […] stuff like names, email addresses, usernames, password hashes, computer name, ip address, software license and activation codes, type of hardware (ex: “macbook pro”), type of subscriptions, phone numbers and computer serial numbers.

The data was accessed by white-hat researcher Chris Vickery, who previously exposed data breaches at MLB, ATP, Slipknot and a network of charter K-12 schools in California …

Vickery, who posted a screenshot of the folder structure (below), said on Reddit that the server was completely unprotected.

Six hours after making this post (and it being at the top of the Apple subreddit), the database is still completely unprotected […] No log in required at all.

The researcher also noted that while passwords were encrypted, the system used was extremely weak.

MD5 with no salt… so very weak hashing

Vickery says that he will reveal more details about how he was able to access the data after the company has secured it.

If you’re looking for genuine software to clean and speed up your Mac, check out our roundup.


FTC: We use income earning auto affiliate links. More.

Check out 9to5Mac on YouTube for more Apple news:

You’re reading 9to5Mac — experts who break news about Apple and its surrounding ecosystem, day after day. Be sure to check out our homepage for all the latest news, and follow 9to5Mac on Twitter, Facebook, and LinkedIn to stay in the loop. Don’t know where to start? Check out our exclusive stories, reviews, how-tos, and subscribe to our YouTube channel

About the Author

Ben Lovejoy

Ben Lovejoy is a British technology writer and EU Editor for 9to5Mac. He’s known for his op-eds and diary pieces, exploring his experience of Apple products over time, for a more rounded review. He also writes fiction, with two technothriller novels, a couple of SF shorts and a rom-com!

Ben Lovejoy's favorite gear