Cerberus Anti-Theft is the type of app that users install for peace of mind. The service offers the ability to track a device's location, record audio through its microphone, lock it, or wipe it remotely in the chance that it falls into the wrong hands. Unfortunately, this line of defense could be a person's worse nightmare if their account were compromised. That's why it was no small deal when Cerberus recently sent out this email to some of its users, alerting them that a number of usernames and passwords were stolen in a recent data breach.


The company has since issued this admirably detailed statement. In short, the security team recently discovered suspicious activity on Cerberus servers. The attackers were able to get away with stolen usernames and encrypted passwords, but no other data. Just shy of 100,000 accounts were affected, and to play it safe, the company has secured the affected accounts by disabling their current passwords. Those users will have to change their passwords and can do so at: https://www.cerberusapp.com/forgotpwd.php.

Here are some more details on the incident:
- The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon
- The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21
- We have then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved
- A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
- A total of 3 accounts were accessed by the attackers, before we blocked their activity and reset the passwords. Those 3 users were notified before the others with a different email communication.
- As of March 26, none of the data obtained by the attacker was released publicly, that we know of.

This incident follows a similarly frightening situation seven months ago, where a determined hacker could potentially use brute-force methods to find the IMEI numbers of user devices and remotely activate some of Cerberus's functions. That security hole has since been fixed. The Cerberus team consists of three people, and it looks like they have their hands full. Still, we commend them for their transparency.

Here is the Cerberus support forum for anyone who would like additional communication.

Thanks, Chris, Abhilash, and everyone else who sent this in!

Bertel King, Jr.
Born and raised in the rural South, Bertel knows what it's like to live without 4G LTE - or 3G, for that matter. The only things he likes sweeter than his tea are his gadgets, and while few objects burn more than a metal phone on a summer day, he prefers them that way anyway.

  • http://www.google.com/ Roshan

    Got this email.
    Changed password as soon as I got. :)

    • Rami

      Same here, got email, changed password asap..

      Cerberus should be top security, because if somebody gets our password, they can login and do remote wipe, which will cause a lot of problems.

  • yodatom10

    thats two hacks in under 12 months.... I understand you can't be totally secured but I don't see lookout,avg etc having this issue I will be looking for alternatives. Can't be risking my devices

    • Frederico Silva

      So I guess you still believe in Santa? I for one, applaude their transparency, often we hear these things happen through the press and then from the company involved, this time it was the other way around (the correct way). Bought it a few months ago, totally worth it.

    • John

      I don't think you understand that EVERY company is susceptible to being compromised, even the best. They just don't announce it like others do.

      • Joseph Cascio

        Just like Target

        • John

          Exactly..who has one of the best security depts of any company, too

      • Stan

        Is Google included in those 'EVERY' company ?

        Because I don't see they announce about data breach often. Either they very secure, or the hacker was very good at leaving no traces.. :D

      • Okay….

        Okaaay.... if that's the case then none of these apps will ever be useful, ever, except if you want to leak something to hackers.

        Not EVERY company runs windows or apple garbage, son.

    • hazza

      Technically, the first incident wasn't a hack, it was a security hole discovered by a third party. One that was closed almost immediately.

  • varagor

    I was worried when I saw the title of the post, but their handling of the incident is admirable.

  • Alejandra Legrottaglie

    It's weird, I didn't got the email, I still changed my password tho.

    • xnadax

      If you didn't get the e-mail, your account wasn't among the ones affected by the breach.

    • The Seventh Son

      I didn't get the email either, but will change my password just in case.

    • The Seventh Son

      I didn't get the email either, but will change my password just in case.

  • melhiore

    Well, I am testing Cerberus app, still two days to go before ordering the license... Now I have a little thinking to do and decide if I want to get the full version...

    • http://robert.aitchison.org raitchison

      I've been using Cerberus for years and cannot recommend it highly enough.

  • Lamm

    I got the e-mail, and indeed my password was blocked when I tried to log in using it.

    I changed the password, now I think I`m fine.

    Their transparency is admirable.

    • CallMeTravis

      Mine was blocked as well. Is it blocked because the hacker changed it. Or Cerberus reset all passwords?

      • Zach B.

        " and to play it safe, the company has secured the affected accounts by disabling their current passwords."

      • Sorian

        Cerberus reset all passwords to the compromised accounts.

      • Grombadjig

        Hey, instead of calling you Travis, can I call you Read the Motherfucking Article?

  • IronBlood

    still the best security app

    • cabbieBot

      +1. I think many folks are getting a myopic view of the picture since the Cerberus team actually reported it, so it 'looks' really bad but really is a sign of how quick to react and transparent they are with how they operate. I don't have any insider information but I'd wager that if the other security app devs out there were as forthright as the Cerberus team, that one would get a very different view of the landscape.

      Moving on, I wonder if it was a targeted attack against those 3 people who had their accounts entered, and the rest were just collateral damage on the snatch and grab.

  • Sorian

    Password changed, just in case.

  • Glentor

    Transparency is admirable but Transparency doesn't keep your data secure. 2 instances inside of a year from a 'security' app should cause users to rethink what apps they use for their security.

    • Yup

      Yeah, it's not acceptable. This is the kind of breach that causes the military to do burn-and-salt operations.

  • Abhilash Tiwari

    You're welcome! :)

  • Firmino
  • ram

    The best app and most reliable app for ur phone at the extremely cheap price...

    The team is transparent and could announce the security breach to the public...Keep rocking Cerberus Team...We would definitely support you in any circumstances...:)

  • Dario · 753 a.C. .

    anyway only 3 of the all stolen accounts had been ENTERED as well. so not only leaked as the other ones.
    now i really don't know how the hackers did cause they said passwords are sha1 encrypted.

    have they done a brute force attack??

  • Dario · 753 a.C. .

    the app is great and their transparency is admirable. but i think they just gotta do something to make security better. i know, the app can't have a 2 steps authentication, cause if someone steal your phone you can't receive the code, but they just have to invent something.

    for example, what about introducing, on the web sites, a log of all the IP with the date that made a login in your account as gmail, dropbox, outlook, MEGA already has?

    how about send you an email for everytime a login in their website has done?

    so if someone enters my account i'll receive an email. if i'm me to enter the account i'll receive that as well but i'll deleted the email not caring about that cause i know i was me...

  • SorryGuysButThatsIt

    It's a shame, but unfortunately - that's the end of the road for Cerberus. With this kind of application there are no second chances.

    In the world we live in can we secure servers? Well - if you can't, you're doomed.

    This seemed like a very useful app, but also a scary one. In these breach circumstances I'm afraid the further risk is intolerable.

    • Mike Reid

      End of the road ? Nah...

      Not everyone has "near perfect" security as a requirement, people have short memories, and new customers always come along.

      Worst that happens is a company moves down a "tier".