UPDATE (Dec. 17): A MacKeeper spokesperson reached out to Global News to clarify that customer passwords were secured with an encryption algorithm.
“This occurred because of a database miss-configuration and was repaired within hours of us being notified,” said the spokesperson.
The company reiterated that it does not collect any sensitive data from its customers.
MacKeeper – an anti-virus tool that promises to protect Mac users – is under fire after it was discovered a database containing personal data from over 13 million users was easily accessible to hackers.
Security researcher Chris Vickery found four IP addresses, none of which were protected by passwords, that allowed him to see customer information including names, email addresses, user names, passwords and phone numbers.
According to reports, Vickery also found that the passwords MacKeeper stored were not secure.
Vickery notified MacKeeper of the vulnerability, which issued a fix for the issue within hours.
“Analysis of our data storage system shows only one individual gained access performed by the security researcher himself. We have been in communication with Chris and he has not shared or used the data inappropriately,” the company said in a statement.
“We will continue to take every possible step to protect the data of our customers from the evolving cyber threats that companies both large and small face on a daily basis.”
The company noted that payment and credit card information was not stored on the affected database.
But security experts were quick to criticize the company for its lack of security – after all, it is a security product.
“Let’s be serious. MacKeeper is supposed to be a security product – and yet it stores passwords that weakly? Its users’ details are left on servers open to anyone on the internet, capable of being accessed without any form of authentication,” said security expert Graham Cluley.
“Not good. Not good at all.”
If you are a MacKeeper user and you use the same password on other website, you should change your password as soon as possible.
Tips for creating secure passwords
Stay away from easy-to-guess passwords like “123456″ or “password” and easy-to-guess identifiers, like your dog’s name.
Numbers included in a password should never be something easy to guess based on the user. That means your age, the current year, or your address are not good choices. Similarly, the longer the password the better.
Passwords that use up to ten upper- and lower-case letters mixed with numbers are proven to be more secure – despite being hard to remember.
One tip is to construct a password from a sentence, mix in a few upper case letters and a number – for example, “There is no place like home,” would become “tiNOplh62.”
And remember, try not to use the same password for any two accounts.