White hat researcher Chris Vickery said he found four IP addresses that directed him straight into the company's MongoDB database, where names, emails, usernames, password hashes, phone numbers, system info and IP addresses were all stored without protection (for the most part). The passwords were using the easily crackable MD5 hash, although they weren't even salted.
Even more shocking was that the database did not require any kind of administrator password or username to get in. Vickery used the Shodan 'hacker search engine' to find the open database.
Vickery tried to contact the company first but could not get through so he posted the issues on Reddit. The company then responded and fixed the issues within hours. "Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately," the MacKeeper team wrote in a blog post.
Written by: Andre Yoskowitz @ 15 Dec 2015 21:57