14 DAY TRIAL // Over 96,000 users of the Cerberus anti-theft application for Android are being advised to change their passwords after the company suffered a data breach. Usernames and password hashes have been stolen, but only a handful of accounts are said to have been accessed by the hackers.
“Our Security Team recently discovered and blocked suspicious activity on Cerberus servers. The investigation found no evidence that your account was in any way accessed or compromised,” the company wrote in an email sent to affected customers.
“However, the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed.”
Cerberus has revealed that a total of 96,564 accounts are impacted. The company has clarified that only three of the accounts have been accessed by the attackers. The owners of these three accounts have been notified before the other users with a different email.
The hackers gained access to a legacy log file containing usernames and SHA-1 password hashes generated by logins made between March 1 and March 21. The legacy logging procedures have been terminated and the log file in question has been deleted.
The exposed passwords are “hashed and uniquely salted multiple times.” Cerberus says it will soon start using bcrypt to encrypt passwords.
The company says it hasn’t found any piece of evidence to suggest that the information stolen by the hackers has been made public.
“We are working closely with law enforcement on this matter, so unfortunately we can’t share any more details at the moment,” the Cerberus Team explained.
Users who have been utilizing the same username password combination for other online services are advised to change them as a precaution.
“We are deeply sorry for what happened. We have already contacted a security firm and in the next weeks we will do a thorough code audit and security assessment of our infrastructure and procedures,” Cerberus noted in its statement.
“We are a small team (3 people) and are trying our best to provide a secure service that you can trust to protect your devices and help you recover them if they are lost or stolen.”
While most of Cerberus’ customers appear to be content with the way the company is handling the situation, there are a few who claim they’ll be looking for alternative software to secure their Android phones in case they’re stolen or lost.