In the course of a data leak at the alternative Android app store Aptoide last week, attackers copied data from over 20 million store users and probably also published it in a relevant (hacker) forum. This emerges from a message from Aptoide to its customers and from information on the website of the password verification service Have I Been Pwned (HIBP). The leaked data is already part of the HIBP database, so that users can check there whether it is affected.
Loud Aptoid’s first blog entry on the data leak was copied with the email addresses used for the application and “encrypted” passwords. HIBP writes in a brief information about the leak that details about the web browser / user agent used, “names” (not specified in more detail) and IP addresses were also copied. The passwords would have been SHA-1 hashes without salt.
The data leak affects “only” users who have set up an account with Aptoide. However, this is not necessary to use the store: As Aptoide emphasizes in a second blog entry on the leak, only about three percent of all users create an account at all – for example, to write comments or reviews on apps.
Aptoide advises you to change your password quickly
According to Aptoide, password hashes were only part of the data leak if they were created especially for the platform. If users had logged in via Google or Facebook, only a random character string was saved in the corresponding database field. Users with their own password should change it immediately – of course also in the context of other services for which it may have been “recycled”.
According to the blog entries, it will only be possible to register again with Aptoide until the data leak has been fully investigated and further information is available.