Massive Aptoide data breach compromised data of 20m users

Popular third party app store Aptoide was recently breached by a hacker who stole 39 million user records and published 20 million of them on a Dark Web hacking forum.

Aptoide was founded in 2011 and quickly gained popularity among users as an individually managed app store. As an open source platform, Aptoide has around one million apps that have been downloaded over seven billion times by over 150 million users.

The huge popularity of third-party app stores such as Aptoide continues despite warnings by cyber security experts who have advised against using such stores as they contain a potential risk of malware distribution. Aptoide has claimed to be safe and that "all the apps are checked for viruses, and we perform extra security tests to ensure your Android device is always safe."

Jake Moore, a cybersecurity specialist at ESET, told Forbes that "using unofficial app stores is basically driving without insurance, you can do it, but you’re not covered when anything goes wrong. Users have to weigh up whether or not it is really worth using such outlets which can so often be used for illicit means."

Recently, breach reports repository Have I Been Pwned revealed that Aptoide suffered a massive security incident this month that resulted in the compromise of information belonging to over 20 million users. Information stolen by a hacker from the app store was shared on a popular Dark Web forum and included browser user agent details, email addresses, names, IP addresses, and passwords. The breach reportedly took place on the 13th of April.

According to Forbes, the hacker who carried out the theft actually stole information of 39 million users and has published information of 20 million users on a Dark Web forum.

Aptoide confirmed on Saturday that a breach had indeed taken place, that it had begun evaluating the threat, that the breached database did not contain personal information of users, that all user passwords were encrypted, and that it had closed sign-ups on the site until a full audit was completed.

In a fresh update published Sunday, Apotoide said that the breach did not impact 97% of its users as they never signed up to use its services. However, the database stored email addresses, IP addresses, and user agent details of 3% of its users who had signed up directly or using their Google or Facebook accounts.

The firm also said that while passwords of 32 million users who signed up using Google or Facebook accounts were not compromised, passwords of 8 million users who signed up using email addresses were kept encrypted using the SHA-1 cypher in the database. Also considering that Aptoide did not store any credit card, payment information, social security, or phone numbers in the database, such details were not accessed by hackers.

“Besides your email address used for login and encrypted password, no Aptoide user's personal data is in the database. Aptoide users were never requested for physical addresses, credit card information, telephone numbers, or other personal data,” it said.

"We are working tirelessly to understand how this happened and already have a few leads. We feel deeply ashamed and would like to apologize sincerely. The security of our users is a priority for us, and we have always tried to implement policies that make Aptoide a safe environment.

"Besides continuous training, we have hired external companies to audit our infra-structure and perform penetration testing. It was not enough, though. We have failed to keep some of the user data safe. Besides providing updated information as we have it, we will also have an internal discussion on how to better store and protect user data moving forward," Aptoide added.

Commenting on the security incident suffered by Aptoide, Sam Curry, chief security officer at Cybereason, told TEISS that "it all comes down to trust in the end, and most of these stores are asking for too much trust up front while delivering too little basis for that trust. The advantage to some degree in the Android ecosystem is that you can choose a different store or set of stores, which lets marketplaces that focus on privacy and security features and value differentiate from one another.

"The unfortunate thing is that none seem to be doing it at this point - none are planting the security and privacy flags firmly and with investment. In reality, nothing is wholly secure because it is always an adaptive race against intelligent opponents, but which vendors’ products and services you buy into from mobile phone to home/work computing and from home automation to social media should be acknowledged to be a tacit trust moment as you effectively link your online identity, personas, privacy, security and to some degree safety with one vendor ecosystem or another."

MORE ABOUT: ,