MacKeeper fails to keep 13 million Mac users safe

Even if you don’t have a Mac, you’ve probably heard of MacKeeper.

If you do have a Mac, you’ve probably seen the company’s promotional material, whether as clickable ads in third-party websites, or as popup warnings, or as pop-under dialogs. (Pop-unders are those annoying windows that are left behind when you close or move your main browser window.)

With slogans such as “Clean your Mac”, “100% performance boost” and “Increase security level”, the company’s aggressive advertising pitches its utilities as a personal technical assistant that helps with anti-virus protection, data encryption, junk file cleanup and performance optimisation.

Unfortunately, the company is in the news for all the wrong reasons at the moment, following a Reddit posting entitled Massive Data Breach by a security researcher calling himself FoundTheStuff.

Forbes identified the researcher as Chris Vickery, and says that he was able to access a MacKeeper company database of more than 13,000,000 customer records, apparently including names, email addresses, usernames, password hashes, phone numbers, IP addresses, system information and more.

What’s worse is that it sounds as though the stored password items were just the straight MD5 hashes of each raw password, without any salting or stretching.

Salts are random characters added to each password before it’s hashed, so that even if two users pick the same password, they end up with a different hash, so they stand or fall alone.

Stretching is applying the hashing function repeatedly in a loop, to make each password guess take longer, thus slowing down password guessing attacks.

Storing passwords as straight MD5 hashes is better than using plaintext, but not a whole lot better.

Modern password cracking machines can compute hundreds of billions of MD5 hashes per second, each of which can be directly compared with an unsalted password database to see if anyone picked that password.

MacKeeper itself hasn’t yet confirmed or denied any details of what was stolen, advising only that “[a]ll customer credit card and payment information is processed by a 3rd party merchant and was never at risk,” and that the company “[does] not collect any sensitive personal information of [its] customers.”

Vickery, it seems, simply did some internet searches using a server-searching tool called Shodan to see if he could find publicly accessible databases running database software called MongoDB.

When he dug into the results, he found that MacKeeper’s databases were directly online with no authentication at all, meaning that he didn’t need to know any usernames or passwords.

According to MacKeeper, he was the only outsider who connected to the databases recently, and the company affirms that he looked, reported what he’d found, and did nothing more with the data that was openly accessible.

If true, that means MacKeeper has sort-of dodged a data breach bullet…

…but it’s still a bad look for a system utility company to let 13 million customer records get openly published on the internet.

If you’re a MacKeeper user, set a new password, don’t use a password you’ve already used somewhere else, and pick your new password properly!

Image of MacKeeper robot courtesy of MacKeeper.