MacKeeper, a brand accused of aggressively marketing anti-malware to Mac users, has exposed account details of 13 million customers.
The leaked account details were discovered by security researcher Chris Vickery, who reported the issue to MacKeeper's German owner, Kromtech, posting details of his finding on Reddit on Sunday.
Vickery, who uses the handle FoundTheStuff, said he was able to download 13 million sensitive account details from the company's servers without exploiting any vulnerability.
In other words, the MacKeeper account details were publicly available on the web. Vickery said he had employed Shodan.io, a search engine that can scan for any device connected to the internet.
He stumbled across an unsecured MongoDB instance when doing a "random" search on port:27017. A screenshot he posted shows the database included a 21.2GB file labelled "users".
Kromtech describes MacKeeper as an all-in-one software package for protecting and maintaining Mac OS X systems.
Its original owner, Zeobit, faced a class-action law suit over accusations it employed 'scareware' tactics to convince consumers to pay $40 to upgrade. Zeobit proposed a settlement of $2m in August to end the suit, which was approved by a US court in November.
Kromtech said in a statement it has now locked down the leaky database, adding that it did not store customer billing data and credit-card information, which instead is held and processed by a third-party merchant.
"Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers," it said.
Still, sensitive details were exposed, including user credentials and password hashes for the firm's web administration page. Other details included the user's name, products orders, license information, and public IP address.
The company said its analysis showed that only Vickery had accessed the leaked data and that the researcher hadn't shared the data inappropriately.
Despite leaving customer details exposed on the web, Kromtech insisted that private customer information and data protection are its highest priority and that it intends to launch an internal review to "identify the scope of the event and additional necessary security measures".
Arguably, Kromtech should have been aware that Shodan could be used to identify unsecured MongoDB instances.
A group of German information-security students ran a similar scan using the search engine earlier this year and claimed to have found 40,000 unsecured MongoDB instances on the web. The students also posted a lengthy explanation on how to secure MongoDB instances.
Read more about malware
- MacKeeper patches remote code execution flaw
- Apple OS X zero-day flaw hands over root access without system passwords
- Crying wolf? Apple support forums confirm malware explosion