The chances are that if you own a Mac of any kind you have probably encountered online ads that promote MacKeeper, an application that promises to keep you Mac safe from external threats, but which is generally perceived to be a scareware app that you’d best avoid. In fact, there’s also a security issue that should further convince you to get rid of the app. Apparently, the company behind it can’t protect personal data belonging to its customers. Records for more than 13 million MacKeeper users have been exposed by a security researcher without any difficulty, and without him even looking specifically for this information.
Chris Vickery found 21GB of data containing usernames, passwords and other information belonging to MacKeeper users. According to Krebs on Security, Vickery did so by using Shodan, a search engine that looks for and indexes anything that gets connected to the Internet.
Vickery, who himself doesn’t own a Mac and he wasn’t aware of MacKeeper before finding the fata, told Shodan to find all known instances of database servers listening for incoming connections on port 27101, a port used by the MongoDB database management system to communicate.
He found four results, all belonging to Kromtech, the company behind MacKeeper. “There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said. “But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”
The company said in a security announcement on Monday that it fixed the problem soon after Vickery contacted them, adding that the data had not been compromised at any time before that.
“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use. We fixed this error within hours of the discovery,” the company said. “Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”
The company also added that credit card and payment information isn’t found in the data Vickery collected, as financial data is managed by a third-party.
Vickery revealed that Kromtech told him the data had been exposed as a result of a server misconfiguration carried out last week. But he’s doubtful of that claim, as Shodan returned records found in mid-November 2015.
“The funny thing is, I don’t even own a Mac, and I had never heard of MacKeeper until last night,” Vickery said. “I didn’t know it was some sort of scamming scareware or software that pushes itself on people. The irony here is pretty thick.”
What should you do if you have purchased MacKeeper? It’s probably best to change the password, as there aren’t any guarantees that nobody else found the data accidentally, while conducting similar simple research. Also, you should definitely determine whether MacKeeper is actually worth keeping installed on your device.