Aptoide under siege: 20 million records exposed
A leak of 20,012,235 Aptoide accounts happened on April 13. The compromised data includes names, dates of birth (if provided), device details, IP and email addresses, and SHA-1 hashed passwords. Some technical information was also breached, such as account status, sign-up tokens, developer tokens, if the account was a super admin, or referral origin. The database in the form of a PostgreSQL export file was shared on a popular hacker forum. The attacker actually claims to possess almost twice as much data — 39 million compromised accounts.
What is Aptoide? The open nature of Android means that users can download apps from different marketplaces. Aptoide is a popular Portugal-based platform uniting different app repositories. It offers access to more than 1 million Android apps for smartphones, tablets, smart TVs, and VR devices, and has more than 150 million users. The marketplace is very popular in Asia, especially in China, where Android devices are sold without a pre-installed pack of Google applications.
The company made an official statement about the recent attack on April 19. They announced that all sign-up, logins, reviews, and comments are suspended until they finish the full forensic analysis.
Two days later, the company introduced a passwordless authentication system, which will send random codes to users’ emails. The outlet won’t store the passwords, only emails hashed with bcrypt incorporating a salt and being very resistant to brute-force search attacks. It is also possible to request the removal of the account.
The company mentioned that 97% of the users never signed up to the app, therefore their data wasn’t exposed.
But records of the 3% who created an account to comment or review the products, is likely to be leaked. However, the company claims that if users signed up with a Google or Facebook account, their passwords weren’t referenced in a breached database: “There is an entry in the "password" but it is just random characters”. This statement is intriguing to experts because it is unclear whether the hackers generated random passwords to sell the database or the company misinformed the general public.
The passwords of users who created an account with email validation are available in SHA-1 encrypted form. The company’s comment is not comforting: “you should not consider your password secure”, “although the attack on SHA-1 is possible, it takes a long time to do it in a pure brute force attack”. Nonetheless, it is currently possible to find a base with about 5,500,000 decrypted passwords from the leaked Aptoide credentials database in the Dark Web.
To keep your data safe, we recommend checking if your email account was breached (and where) with a free BreachReport service. You can also subscribe to the monitoring to be immediately notified if your data hit the Dark Web to take immediate protective actions.
The attack on Aptoide caused a mixed reaction in the hacker community because many IT professionals are active users of the app. The outlet is positively received as an alternative third-party platform ‘with unrestricted content and the opportunity to create and share your own store’, ‘revolutionizing app distribution and discovery’. Aptoide offers many paid apps for free and imposes no geographical limitations in terms of app distribution. It represents serious competition for Google globally. This is why the app cannot be found on Google Play, its installation and display is chronically sabotaged by Android. According to Aptoide, they have lost about 15-20% of unique users in the last years due to these anti-competitive practices. Aptoide even won a case against Google in 2018 when the IT-giant used Play Protect security system to secretly uninstall the alternative app from millions of users’ devices.