Management / Leaky company databases expose 25 million accounts, researcher finds
Leaky company databases expose 25 million accounts, researcher finds
15 December 2015 |
A researcher has alleged that OS X optimisation and security tool MacKeeper is fundamentally flawed and provides easy access to millions of user account details.
Researcher Chris Vickery has discovered that many of the databases MacKeeper uses to store its customer information are publicly accessible.
Over a two-week period, Vickery managed to access usernames, email addresses, postal addresses, password hashes, computer names and IP addresses belonging to approximately 13 million accounts from MacKeeper alone.
However, he did not manage to access payment details belonging to other users.
In total, he managed to collect private user information associated with almost 25 million accounts from MacKeeper, social network Vixlet, fitness app iFit, online gaming site Slingo, HIV dating app Hzone, video chat app OkHello and online public school network California Virtual Academies.
Vickery said that “no exploits or vulnerabilities were involved” and that the firms “published [user data] to the open web with no attempt at protection”.
Instead, Vickery told security blogger Brian Krebs that he was able to discover MacKeeper’s data records using search engine Shodan, which allows users to find internet-connected devices.
He has said he had “no malicious intentions”, but had obtained the data “to prove that it is available” to the companies affected, ensuring that they fix their misconfigured databases.
Kromtech Alliance, the firm that owns MacKeeper, said that it had assessed the situation itself with Vickery’s help and corrected the error.
“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” said the firm in a statement.
“Analysis of our data storage system shows only one individual gained access, performed by the security researcher himself.
“The privacy and security of our clients’ information remains our top priority and from the moment we were aware of the access, we immediately took several proactive steps to identify and correct the issue.”