Security researcher Chris Vickery has found and reported a massive security issue on the Web servers of MacKeeper, a piece of software often regarded as scareware. According to Krebs on Security, the databases of Kromtech, the company behind MacKeeper, were open to external connections and required no authentication whatsoever. The names, passwords, and other information of around 13 million users may have been exposed.

Kromtech has admitted the breach and put a statement on its website saying that "analysis of our data storage system shows only one individual gained access performed by the security researcher himself." It also states that customers' credit card details have never been at risk as they're processed by a third-party merchant.

"The only customer information we retain are name, products ordered, license information, public ip address and their user credentials such as product specific usernames, password hashes for the customer's web admin account where they can manage subscriptions, support, and product licenses," Kromtech explained.

In total, Vickery said there was about 21GB of data free for everyone to download, stored in MongoDB databases. All the researcher needed to do in order to reveal them was enter a query in Shodan, a search engine that can find pretty much anything connected to the Internet.

Vickery searched for database servers listening to incoming connections on port 27101, which is associated with MongoDB. Then he simply copy-pasted the information from the results into MongoVue, a tool for browsing databases, and that was it.

John Matherly, the founder of Shodan, followed up on the story with a blog post, revealing that "at the moment, there are at least 35,000 publicly available, unauthenticated instances of MongoDB running on the Internet." That's about 5,000 more than there used to be in July, he added.

The exposed databases account for 684.8TB of data in total. The most popular database names are these:

local: 33,947 admin: 23,970 db: 8,638 test: 6,761 config: 859 test1: 612 mydb: 549 DrugSupervise: 382 Video: 376 mean-dev: 252

Matherly also emphasised that the issue is not unique to MongoDB. "Redis, CouchDB, Cassandra and Riak are equally impacted by these sorts of misconfigurations," he concluded.