A database of 13 million MacKeeper users has been easily accessed online, potentially exposing personal details but not payment information.

Email addresses, phone numbers, IP addresses and weakly hashed passwords for the controversial Apple Mac cleanup utility were exposed because MongoDB databases hosting the information were misconfigured – leaving them wide open to rubber necks. Security researcher Chris Vickery stumbled on the 20GB data trove using the Shodan machine data search engine.

Kromtech, the firm behind MacKeeper, had left databases open to external connection without authentication, Vickery told KrebsOnSecurity.

In a statement, Kromtech admitted the breach while trying to minimise the impact of the slip-up by claiming only Vickery had accessed the information. It added that it had solved the problem within hours and that credit card information had never been exposed.

MacKeeper has a poor reputation among many in security circles because of its aggressive promotion through pop-up ads and questionable utility. ®