Aptoide, the independent Android app store had its user database stolen. The details of the breach were published initially by Have I Been Pwned (HIBP), a site that lets users know if their email address has appeared in any data breach. HIBP is warning that the details of 20 million customer records have been shared online via a popular hacking forum.
Aptoide has responded to the news with two press releases in quick succession. The first acknowledged that there may have been a breach and announced it had closed the sign-up page. The second gives more details of the breach. It includes what was taken, who is affected, and what the company is doing about the breach.
The company claims a userbase of more than 250 million users and 1 million apps. However, there is no requirement to sign-up to use the site. According to the company, it means that only 3% of its users may have been affected by the breach.
What data has been stolen?
The data held in the database appears to be limited to email, and IP addresses along with the user agent used the last time a user signed-in. There is also a birthday field, but it seems that it is only filled in when users sign-up through the web site to access dashboards.
Aptoide has over 32 million users who use their Google and Facebook credentials. It says that it does not store any passwords for those users at all.
Importantly, Aptoide is saying that payments cards, phone numbers and other data are not stored in the user database. How and where it stores that data is not given. It does, however, raise a question as to why it was possible for the attackers to gain the database with the basic user data and miss the more sensitive data. The answer to this will only be known when Aptoide and its forensic partner reveal the details of their investigation.
Enterprise Times: What does this mean
Another day, another breach, another company having to apologise to users for not keeping their data safe. In this case, it seems that Aptoide has been lucky. By separating the data it holds, the damage has been limited.
How the attackers got in will be a major part of the investigation. Was it leaked credentials? Spear phishing against a member of staff? An unpatched vulnerability in the software they use? There are many ways it could have happened, but at the moment we just don’t know.
However, it happened, Aptoide is promising things will be better and security stronger once it is over. One solution would be to add multi-factor authentication.
Perhaps the biggest bonus here is that there is not enough data to allow attackers to start phishing users. With so many people using their personal devices as they Work at Home, nobody needs more phishing emails that add more risk of other data being stolen.