It was Sunday, December 13th, when a bored white hat hacker Chris Vickery, 31 year who works as IT helpdesk in the day and crawls the web as FoundTheStuff at night, started searching random stuff on famous IoT search engine Shodan. Chris was querying for port:27017, used by a database management system MongoDB. Upon digging deeper and deeper for port:27017, Chris nailed a Jackpot!
What was discovered?
He discovered a database of Mackeeper, a Mac maintenance utility that has been criticised for shady attitude towards product promotion. The database that weighted more than 21 GB contained users of more than 13 Million users. According to the official statement:
All customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers. The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer’s web admin account where they can manage subscriptions, support, and product licenses.
Chris confirmed that the passwords were hashed, bit MacKeeper team used MD5 hashes without salt, meaning that it would have been very easy for malicious actors to reproduce the stored data. One can use MD5CRACKER tool to retrieve hashed information
Facts talk for themselves. The most important part of insecurity is negligence and uninterested attitude towards user data. If a company can’t think about making simple changes to their network to make it inaccessible from the public internet, then imagine how many ‘real’ vulnerabilities can reside in such organization.
The most important part that should be noted is that this data was publicly available and there was no need to actually hack or initiate a cyber-attack on the database to retrieve the data. Unfortunately, some news sources reported it as a HACK “MacWorld“, “HackRead” and “TheHackerNews“.