Website hacks are nothing new, and it's all but certain that everybody has had at least at least a couple login credentials and other details exposed at some point. Unfortunately, another incident has occurred, this time with the Aptoide app store. Minimal personal information and zero payment details were exposed, but login credentials are exposed.
Aptoide may not be familiar to most Android users, but it has grown to become the largest independent app store in the world with a reported 150 million users. It's designed to allow developers to build their own app stores that function as part of a larger registry.
The hack was first revealed on April 17th through the Under the Breach Twitter account. 39 million accounts were reportedly copied, with 20 million of those leaked to a public forum as proof. Records include email addresses, SHA-1 hashed passwords, names, birthdays, account status, and the IP and user agent from the last logins. Also included are login and developer tokens, and if an account belonged to a super admin.
Aptoide later followed up with different numbers, which may indicate as many as 49 million user accounts could have been accessed. However, approximately 32 million accounts belong to OAuth logins using Google and Facebook accounts, so no passwords are associated with those accounts. Passwords for all remaining accounts were hashed with SHA-1, which is no longer considered a secure hashing algorithm.
These numbers are actually pretty low, which is owed to an open access model used by Aptoide. Users need accounts to leave ratings and comments, but they aren't required to simply downloading or update apps. Aptoide also explained that very few accounts are likely to have names or birthdays on record, and there's no payment information or other exploitable data.
For most users, this means only the email addresses and a hashed password are consequential leaks. Users should change passwords on any account using a matching email address and password. It's unclear if the hackers could use compromised developer accounts for anything.
Aptoide is working with its data center to identify how the hack occurred and has temporarily disabled all account-based activity, including sign-ups, logins, and leaving reviews or comments. This shouldn't interfere with downloading or updating apps. Once Aptoide re-opens, users will be required to set a new password on their next login.