Aptoide hacked: more than 20 million accounts exposed

We have already commented on it on previous occasions: information and personal data are the new oil of the 21st century. Both digital companies and hackers trade with them and who else who least has suffered the leak of any of their accounts on the network. This week it was the turn of Aptoid.

Although the bank details have not been compromised and the personal information stolen has been minimal, millions of access credentials have been exposed. Apotide is the world's largest independent app store, with a total of more than 150 million registered users. A really popular, decentralized, blockchain-based alternative app repository, allowing developers to create their own app store within the platform's global conglomerate.

The hack came to light on April 17 through the Twitter account Under The Breach, where it is clarified that more than 39 million Aptoide accounts would have been copied, filtering 20 million accounts in a public access forum to prove the veracity of the attack. The logs include email addresses, SHA-1 hashed passwords, names, dates of birth, account status, user agents of the last logins and the corresponding IP address. Likewise, it is also indicated if an account belongs to a user with super administrator permissions.

After this terrible news, which undoubtedly must have caught the platform's owners with the changed foot, Aptoide has responded through its blog with new updated figures, indicating that the leak would have affected 49 million accounts. However, it is also clarified that around 32 million users used OAuth authentication to log in with your Facebook and Google accounts, so in these cases no password would have been breached. The passwords for the remaining accounts used a SHA-1 hash, a hashing algorithm that is currently no longer considered secure.

The leakage of personal data is minimal, yes, although it represents a danger of great dimensions

We could say that the hacking figures are quite low, mainly due to the open access model used by Aptoide. Since although we need to have an account to comment and leave a rating on the platform, app downloads and updates are open and it is not necessary to be registered to be able to do so. From Aptoide they have also recorded that of all the leaked accounts, very few of them have a name or date of birth, and that there is no bank data or other sensitive information that can be exploited.

Now, this does not mean that the hack is harmless or less dangerous for the user. If a third party has access to our Aptoide account that means that they can download APKs on our device without our permission and therefore there is a high risk of being infected with malicious software.

Therefore, if we use Aptoide to download applications, it is highly recommended that we change the access password as soon as possible. It is also not clear whether an attacker with access to a developer account could take advantage of the mishap to distribute corrupt applications, so the alarm remains high.

From Aptoide they assure that they are working to solve the problem. For the moment, they have disabled all activity on the platform that requires the use of an account (logins, comments, ratings and reviews). This does not affect downloads, which can continue to be done normally, but when Aptoide reopens its doors, users will be required to change their access password.

You have Telegram installed? Receive the best post of each day on our channel. Or if you prefer, find out everything from our Facebook page.

Recent Posts