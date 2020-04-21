A third-party Android app store has been hit by a big data breach. Aptoide users who registered between 21 July 2016 and 28 January 2018 may be affected.

Aptoide works in a same way as Google's own Play app store, but isn't subject to its content regulations or security vettings. As with all third-party stores, users must confirm they accept security risks when installing apps from it.

A hacker has published data from 20 million users and claims to have details of another 19 million users altogether. That's a big chunk of the 150 million people Aptoide claims have used its service at some point. (Source: zdnet.com)

Passwords At Risk

The data includes email addresses, dates of birth, the user's real name (where provided) and details of when they signed up, what device they used, and the IP address from which they signed up. That could raise the risk of identify theft as well as being valuable to spammers who are always looking out for lists of real email addresses. Not every user's record contained every type of data.

More sensitive data such as physical addresses and card information wasn't part of the database, meaning it hasn't been exposed.

The published data does also include some account passwords encrypted with hashing. That would mean anyone wanting to access the passwords would likely need a combination of time and serious computing power.

However, it doesn't appear the database encryption used a secondary step called salting, which uses random data to store sensitive information. That means there's a much greater chance that automated tools would succeed in decrypting the passwords.

Reused Passwords a Major Threat

The big danger isn't so much that a hacker could then access a user's Aptoide account. Instead, they could try the combination of the email address and decrypted password on other services that could allow access to confidential data.

If the hackers were able to access social media accounts, they could also sell the details to people who want to use them for purposes such as posting and sharing spam, dubious links or misinformation.

Yet another possibility is that the database of user names, email addresses, and passwords would be sold to spammers, who in turn mass email millions of users claiming to have hacked their PCs and phones (with proof of a real password used in the breached database). Scammers then claim to have spied on the user self-pleasuring to people in the buff using their own webcam, then demand $2000 worth of bitcoin to keep things quiet - otherwise they will send explicit videos to friends and family. This is otherwise known as the Webcam Bitcoin Blackmail Scam.

Aptpoide says it is investigating the breach and will take any necessary action to correct it. For the time being it has put a hold on new registrations. (Source: aptoide.com)

