MacKeeper Hacked: Researcher Finds 13 Million Credentials Online

ShortRead: MacKeeper, a utility software suite for Mac OS X faced a data breach which has exposed details in relation to its 13 million customers.

The most interesting part of this breach is that the guy who reported this breach doesn’t even have a Mac and found this on Shodan which is a search engine that indexes everything connected to the internet.

His name is Chris Vickery, a 31 year who works at MackeeperIT helpdesk in the day and a security researcher by night. He found 21 GB of data from the breach while finding database servers that don’t require any authentication and are open to external connections.

Vickery was looking to find servers that are listening to incoming connections on port 27101. Ports are basically a doorway to a server and each port governs a number of web applications and services like MongoDB (a popular database management system) are associated with the port 27017.

Vickery’s request turned up four internet addresses which were later identified to be belonging to Kromtech the company who made Mackeeper.

Screenshot of the leaked data:

View post on imgur.com

“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database,” according to Krebs on Security.


Vickery after finding the breached data quickly contacted the company and the company quickly closed off all the public access to their server and also thanked Vickery publicly! Here is a statement from the company:

“Some 13 million customer records leaked from is aware of a potential vulnerability in access to our data storage system and we are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” the company said in a statement published to its site today. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech further said that all the data in relation to a credit card or another payment processor is safe because it’s been processed by a third party merchant.

“Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers,” the statement continues. “The only customer information we retain names, products ordered, license information, public IP address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”

According to Kromtech, the breach took place due to a misconfiguration in the server that was introduced last week. But, Vickery doesn’t agree to this because Shodan records showed data from mid-November 2015 meaning a data breach was likely.

While telling how easy it was to connect to the database Vickery told that the information he got from Shodan, he simply copy-pasted in a tool for databases “Mongo databases” and got access to the server.

What about your password?

The leaked passwords were in encrypted form but Vickery believes that company is using weak MD5 hashes algorithm to protect their customer database and anyone can crack weak hashes using a simple online tool or their GPU’s etc. The company responded to the issue on Vickery’s post on Reddit:

View post on imgur.com

This incident is a reminder to all the organizations to make sure that they check from all the available resources that if there is any data publicly available and also make use of Shodan whose usefulness was discovered by this incident.

Earlier this month, Apple discussion forum also warned the users on installing MacKeeper on their system. The forum post described MacKeeping as an invasive malware

“MacKeeper has been described by various sources as highly invasive malware that can destabilize your operating system”

For MacKeeper’s customer, it’s time to change their passwords and also to check out if everything is ok with their accounts.

Noor Qureshi

Noor is a security writer at TheHackToday.com, He is a passionate web designer, pen tester, coder and a contributor at HackRead. Noor supports the Anonymous hacktivist movement and likes to investigate their operation from the core.