Here's a quick lesson in doing it wrong—and endangering millions of people in the process.
Notorious Mac data-utility app MacKeeper—along with its developers, Kromtech Alliance—is under fire for storing 13 million customer records on a publicly accessible database that was accessible with absolutely no security check, password, or identification required.
First made public by security researcher Chris Vickery in a post on the r/Apple subreddit, the vulnerability potentially exposed usernames, hashed passwords, subscriptions, user license information, and customer IP addresses. MacKeeper claims that payment information and credit card numbers were not accessible, though the company’s admits that its payment processing is handled by a third-party merchant and not in-house, which probably explains why it wasn’t part of the breach.
In a blog post, MacKeeper credits Vickery with discovering the gaping security hole and claims that the issue was fixed “within hours of the discovery.” However, Vickery’s own Reddit post notes that he was having trouble finding a point of contact within the company, so it’s unclear exactly how long it took to patch up.
MacKeeper claims that only one person, presumably Vickery, actually accessed the database from the outside, though that detail is difficult to independently verify.
As many in the original Reddit thread have noted, MacKeeper’s reputation among Apple fans isn’t exactly golden. The company has long been accused of underhanded marketing tactics and misleading promotional strategies, as well as claims that the software negatively impacts systems on which it has been installed.
If the company was hoping to turn its reputation around, exposing the accounts of 13 million users is not a great first step.