December 14, 2015 | 7 min read
MacKeeper™ Security Advisory
UPDATE 1 [Dec 16th, 2015]: We have added Live Chat hotline functionality to this post in order to address all questions you may have in the real time. Please find Live Chat below.
UPDATE 2 [Dec 17th, 2015]: Deployment of a new hashing algorithm for user passwords almost completed. We are planning to start resetting account passwords by EOD today, around 7pm ET (TBD). You will start receiving pop-up notifications which contain detailed step-by-step instructions.
UPDATE 3 [Dec 18th, 2015]: MacKeeper account passwords are in the process of resetting. By that time part of our customers should have received an in-soft pop-up notification with easy-to-follow instructions how to set a new password. Don't worry if you did not receive it yet, process takes time. Thank you for your patience, we will keep you updated!
UPDATE 4 [Dec 19th, 2015]: We have finished internal checks of the security systems and administrating systems. In the meantime our support center is working 24/7 to answer all your questions related to the password change notifications and ready to guide you through.
UPDATE 5 [Dec 20h, 2015]: MacKeeper's team has invited security researcher Chris Vickery to meet and greet at our booth on CES 2016 where some exctiting announcements to be made. Stay tuned!
UPDATE 6 [Dec 23rd, 2015]: As of today, Chris Vickery has confirmed that his copy of the encrypted database has been destroyed and we are proud to announce that he will be cooperating with MacKeeper as we continue to look for vulnerabilities or security issues. He will also be our special guest at the 2016 CES in Las Vegas, NV where MacKeeper will be showcasing a new Anti-Theft application - Track My Mac also available at the Appstore - that tracks stolen computers, generates a iPhoto snapshot, location reports, and can be activated or deactivated with an iPhone.
We would also like to stress again that the user data actually was encrypted despite some reports that omitted this important fact. MacKeeper has completed the process of upgrading to one of the most secure password-hashing methods available to encrypt our customer’s accounts. MacKeeper takes security seriously and will be working with a range of groups and individuals including Chris Vickery who will conduct ongoing security audits. We will continue to explore new ways to protect ourselves and our users from the evolving cyber threats that companies both large and small face on a daily basis.
Kromtech is aware of a potential vulnerability in access to our data storage system.
We are grateful to the security researcher Chris Vickery who identified this issue without disclosing any technical details for public use. We fixed this error within hours of the discovery. Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately.
Our customer's private information and data protection is our highest priority.
All customer credit card and payment information is processed by a 3rd party merchant and was never at risk. Billing information is not transmitted or stored on any of our servers. We do not collect any sensitive personal information of our customers. The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer's web admin account where they can manage subscriptions, support, and product licenses.
We will continue to take every possible step to protect the data of our customers from the evolving cyber threats that companies both large and small face on a daily basis. The privacy and security of our clients’ information remains our top priority and from the moment we were aware of the access, we immediately took several proactive steps to identify and correct the issue.
These steps include launching a comprehensive internal review to identify the scope of the event and additional necessary security measures. Our customers security and protection will always come first and we will continue to invest in the latest cyber security technologies.
We want to offer a special 'Thank you' to security researcher Chris Vickery for identifying the security breach attempt so that we could stop it before anyone was harmed.
After this security issue we founded MacKeeper Security Research Center with Chris Vickery that helps online companies to identify security threats before any sensitive data leaks online.