A database run by Kromtech, the makers of MacKeeper, a popular security software, left the details of up to 13 million Mac users exposed – usernames, email addresses, passwords and other information because it was misconfigured.
Mackeeper claims only one person gained access – the security researcher who uncovered the flaw.
“We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use,” reads the MacKeeper blog.
“We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.”
The company says payment information has not been compromised.
“All customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers.”
“The only customer information we retain are name, products ordered, license information, public IP address and their user credentials…”
Chris Vickery, the researcher who found the database used a specialised search engine called Shodan. He was searching for databases that accept external connections and required no authentication, explains Brian Krebs.
Vickery posted the results of his search on Reddit, where he requested the contact details of someone at Kromtech. The post claims it was numerous hours before the problem was fixed.
“There are a lot of interesting, educating and intriguing things that you can find on Shodan,” Vickery said.
“But there’s a lot of stuff that should definitely not be out there, and when I come across those I try to notify the owner of the affected database.”
Anyone with a MacKeeper account is encouraged to change passwords for all services that share the same details.
It’s not the first spot of bother for the software security company, that has been subject to class-action lawsuits for false advertising.
There have been several similar online security scares recently. Just over a week ago a hack of a children’s toy company exposed the details of more than 5 million parents and children.