The popular Android app store Aptoide has apparently been breached, with millions of users having their data stolen by a hacker.
Aptoide is a third-party app store, meaning it isn’t operated by Google or provided by a smartphone manufacturer, and claims to have over 150 million users, 7 billion downloads, and 1 million apps.
However, its popularity has now made it a target for a hacker, who has seemingly stolen the details of 39 million users and published 20 million of those online.
According to ZDNet:
The leaked information, which ZDNet obtained a copy with the help of data breach monitoring service Under the Breach, contains information on users who registered or used the Aptoide app store app between July 21, 2016, and January 28, 2018.
Data leaked today that can be classified as “personal identifable information” includes details such as the user’s email address, hashed password, real name, sign-up date, sign-up IP address, device details, and date of birth (if provided).
Other details also include technical information such as account status, sign-up tokens, developer tokens, if the account was a super admin, or referral origin.
Aptoide has subsequently taken steps to improve its security systems, and in a statement on their website stated:
We are working tirelessly to understand how this happened and already have a few leads. We feel deeply ashamed and would like to apologize sincerely. The security of our users is a priority for us, and we have always tried to implement policies that make Aptoide a safe environment.
Besides continuous training, we have hired external companies to audit our infra-structure and perform penetration testing. It was not enough, though. We have failed to keep some of the user data safe.
Besides providing updated information as we have it, we will also have an internal discussion on how to better store and protect user data moving forward.
While you should always be careful about using third party apps, Aptoide has generally been considered one of the more secure and it’s clear that they are taking positive steps in the wake of this breach to protect users and learn from the experience.
However, this also demonstrates the importance of not reusing usernames and passwords across multiple platforms. Any users doing so whose data was stolen will now find themselves at risk if they used the same credentials elsewhere.
If you’re concerned about how your organisation should respond to a data breach of this sort, contact us today to get our expert advice.