Cerberus Anti-Theft is the type of app that users install for peace of mind. The service offers the ability to track a device's location, record audio through its microphone, lock it, or wipe it remotely in the chance that it falls into the wrong hands. Unfortunately, this line of defense could be a person's worse nightmare if their account were compromised. That's why it was no small deal when Cerberus recently sent out this email to some of its users, alerting them that a number of usernames and passwords were stolen in a recent data breach.
The company has since issued this admirably detailed statement. In short, the security team recently discovered suspicious activity on Cerberus servers. The attackers were able to get away with stolen usernames and encrypted passwords, but no other data. Just shy of 100,000 accounts were affected, and to play it safe, the company has secured the affected accounts by disabling their current passwords. Those users will have to change their passwords and can do so at: https://www.cerberusapp.com/forgotpwd.php.
Here are some more details on the incident:
- The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon
- The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21
- We have then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved
- A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
- A total of 3 accounts were accessed by the attackers, before we blocked their activity and reset the passwords. Those 3 users were notified before the others with a different email communication.
- As of March 26, none of the data obtained by the attacker was released publicly, that we know of.
This incident follows a similarly frightening situation seven months ago, where a determined hacker could potentially use brute-force methods to find the IMEI numbers of user devices and remotely activate some of Cerberus's functions. That security hole has since been fixed. The Cerberus team consists of three people, and it looks like they have their hands full. Still, we commend them for their transparency.
Here is the Cerberus support forum for anyone who would like additional communication.
Thanks, Chris, Abhilash, and everyone else who sent this in!