Android Store Hacked; Up to 40M Accounts Leaked

John Lister's picture

A third-party Android app store has been hit by a big data breach. Aptoide users who registered between 21 July 2016 and 28 January 2018 may be affected.

Aptoide works in a same way as Google's own Play app store, but isn't subject to its content regulations or security vettings. As with all third-party stores, users must confirm they accept security risks when installing apps from it.

A hacker has published data from 20 million users and claims to have details of another 19 million users altogether. That's a big chunk of the 150 million people Aptoide claims have used its service at some point. (Source: zdnet.com)

Passwords At Risk

The data includes email addresses, dates of birth, the user's real name (where provided) and details of when they signed up, what device they used, and the IP address from which they signed up. That could raise the risk of identify theft as well as being valuable to spammers who are always looking out for lists of real email addresses. Not every user's record contained every type of data.

More sensitive data such as physical addresses and card information wasn't part of the database, meaning it hasn't been exposed.

The published data does also include some account passwords encrypted with hashing. That would mean anyone wanting to access the passwords would likely need a combination of time and serious computing power.

However, it doesn't appear the database encryption used a secondary step called salting, which uses random data to store sensitive information. That means there's a much greater chance that automated tools would succeed in decrypting the passwords.

Reused Passwords a Major Threat

The big danger isn't so much that a hacker could then access a user's Aptoide account. Instead, they could try the combination of the email address and decrypted password on other services that could allow access to confidential data.

If the hackers were able to access social media accounts, they could also sell the details to people who want to use them for purposes such as posting and sharing spam, dubious links or misinformation.

Yet another possibility is that the database of user names, email addresses, and passwords would be sold to spammers, who in turn mass email millions of users claiming to have hacked their PCs and phones (with proof of a real password used in the breached database). Scammers then claim to have spied on the user self-pleasuring to people in the buff using their own webcam, then demand $2000 worth of bitcoin to keep things quiet - otherwise they will send explicit videos to friends and family. This is otherwise known as the Webcam Bitcoin Blackmail Scam.

Related:

Aptpoide says it is investigating the breach and will take any necessary action to correct it. For the time being it has put a hold on new registrations. (Source: aptoide.com)

What's Your Opinion?

Have you ever used a third-party app store? Do you trust such services less than the official stores of firms like Apple and Google? Do you use separate passwords for every site?

Rate this article: 
Average: 5 (6 votes)

Comments

buzzallnight's picture

Software security is an Oxymoron like Giant Shrimp.

You need to assume that you will be hacked.

So, first of all,
you never use your real name,

second
you never use your real phone number

third
YOU NEVER PUT YOUR REAL ADDRESS ONLINE!!!!!!!!!!!!!!!!
People have died because of violating this rule. !!!!!

Be sneaky!
Have several different email addresses.
Don't use the one you use for anything having to do with money for anything else.

If you have more than one computer
use only one of them for anything having to do with money and not anything else.

Security questions
Most of you personal data can be found on the internet so,
misspell it!
Hackers are looking for the correct answer, they will never figure this out.

In closing I would just like to tell you
THERE ARE NOT ANY PILLS THAT WILL MAKE YOUR DICK BIGGER!
THERE IS NOT A NIGERIAN KING THAT WILL REWARD YOU HANDSOMLY IN THE FUTURE
IF YOU JUST SEND HIM SOME MONEY NOW!
Don't be stupid
view anything on the internet with a great deal of skepticism!!!!!!!