New Mac Data Breach Exposes Usernames, Passwords

Gold MacBook
Courtesy of Jason Cipriani

Mac users who had relied upon utility software MacKeeper to help their computers run more smoothly may have a different wish today.

Approximately 13 million user credentials for MacKeeper were leaked to the Internet, security researcher Chris Vickery confirmed to security expert Brian Krebs. Vickery says he had been able to access 21GB of MacKeeper user data through Shodan, a search engine that indexes virtually any device or server connected to the Internet. Traditional websites typically index websites and not the devices that can connect to the Internet. Upon downloading the data, Vickery says he was able to see MacKeeper usernames and passwords by accessing an unsecured database.

The discovery, in other words, is perhaps more concerning than a standard data breach. Indeed, the MacKeeper issue was not a data breach at all. Instead, MacKeeper had its own database accessible on the Internet and not secured to prevent malicious hackers from stealing credentials. By browsing Shodan, Vickery was able to simply access the data MacKeeper left unsecured and see usernames and passwords. No hacking was required.

The breach is just the latest in a long line of issues MacKeeper has faced over the years. The Mac-only utility, which promises better performance and security, has been roundly criticized by reviewers who said it could deliver more useful features. The website Macworld, focused on Apple(AAPL), earlier this month posted a full feature on how to remove MacKeeper after it claimed it received the request “multiple times a day” from users. The site argued that it’s difficult to fully remove the utility once it’s installed on a Mac.

MacKeeper, which costs between $5.95 and $14.95 per month, depending on the plan tier, has also been slapped for engaging in so-called “scareware” tactics, aimed at scaring users into paying for the paid version with additional security features after the free trial period ends.

Indeed, the app’s earlier owner, Zeobit, was slapped with a class-action lawsuit in 2014 for attempting to use scare tactics to get users to pay for the program. In August Zeobit proposed a settlement of $2 million, and in November a U.S. court approved the deal.

Now under the ownership of Germany-based developer Kromtech, MacKeeper claims to offer everything from “all-in-one system utility” features to, ironically, “anti-theft tracking.”

In a statement, Kromtech confirmed its data was accessible, but said that it quickly moved to fix the problem before malicious hackers could access it.

“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” Kromtech wrote in a statement. “We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”

Kromtech added that no customer credit card or payment information was exposed and it will launch a “comprehensive internal review” to identify ways to beef up its security.

For his part, Vickery confirmed that the data he collected was not used inappropriately and he contacted the company as soon as he discovered the data leak.

In an e-mailed statement to Fortune, a Kromtech spokesman confirmed that no one else accessed the database. The spokesman added that some of the accessed accounts may not have been active.

“Regarding the figure, this is a cumulative number which includes all customers, both active and non-active,” the spokesman said. “As stated, sensitive data were never at risk. The only customer information we retain are name, products ordered, license information, public IP address and their user credentials.”

For more on Apple’s Mac, check out the following Fortune video:

Sign up for Data Sheet, Fortune’s daily newsletter about the business of technology.

Subscribe to Well Adjusted, our newsletter full of simple strategies to work smarter and live better, from the Fortune Well team. Sign up today.

Read More

Artificial IntelligenceCryptocurrencyMetaverseCybersecurityTech Forward