MacKeeper exposes 13 million users’ personal details

If you’ve got a Mac, you’ll be aware of MacKeeper – a piece of utility software supposedly designed to improve Macs’ performance, but widely condemned for doing exactly the opposite.

Why will you be aware of MacKeeper? Because it advertises via aggressive pop-up and pop-under ads: as PC World reported earlier this year, “the company buys upwards of 60 million ad impressions a month, making it one of the largest buyers of web traffic aimed at Mac users.”

MacKeeper’s supposed exaggeration of threats has, however, prompted many to dismiss it as scareware. Earlier this year, MacKeeper’s former owners, ZeoBIT, faced a $2 million class-action suit for “deceptive design, marketing, and sale” of the software.

Despite this poor reputation, MacKeeper has a decent enough customer base. Unfortunately for 13 million of those customers, it seems that their personal information wasn’t securely stored.

21 gigabytes of user details

Security researcher Chris Vickery explained to Brian Krebs that “he unearthed [a] 21 gb trove of MacKeeper user data after spending a few bored moments searching for database servers that require no authentication and are open to external connections” on Shodan – a search engine that aims to index every Internet-connected device. He found four different IP addresses, all of which belonged to Kromtech, the company that owns MacKeeper’s developers. He found the user data on those servers.

“The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,” Mr Vickery told Mr Krebs. “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”

According to a security advisory released yesterday by MacKeeper’s parent company, Kromtech, Vickery identified “a potential vulnerability in access to our data storage system” which Kromtech “took several proactive steps to identify and correct” as soon as it became aware of the issue. No “sensitive personal information” was collected or stored.

“The only customer information we retain”, said Kromtech, “are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.”