Google Play Store is the official Android App Store but users often end up choosing third-party app stores to get free access to a bunch of premium apps. Aptoide is often seen on budget Android TVs. Recent reports suggest that hackers have managed to penetrate 39 million Aptoide accounts. The information includes users who registered or used the Aptoide App Store between July 21, 2016, and January 28, 2018.
The news was first reported by ZDNet, which worked with data breach monitoring service ‘Under The Breach’ to uncover details. Hackers have exposed details of 20 million Aptoide users so far. The data includes name, sign up data, device details, IP address, and even birth date. The database includes stashed passwords and some technical information.
The official statement by Aptoide reads, “Since you are not required to create an account at Aptoide to use it, 97% of Aptoide users have never signed up. In that case, you are not impacted at all. There is no information on the databases for the users that didn’t sign up. In case you are in the 3% of the users that have created an account to make a comment or a review, your email address will be in the database, as well as the IP and user agent of the last login. The table has a birthday field and name but was not filled out when you signed up through the Android application. Only if you signed up through the web site to access dashboards. If you are one of the 8.8M users that signed up using your email address, your password is kept encrypted using the SHA-1 cypher in the database. Although the attack on SHA-1 is possible, it takes a long time to do it in a pure brute force attack. However, you should not consider your password secure. If you used a dictionary word or an easy password, your password may be reversed. If you use a shared password with other sites, you should change the password in those sites as well.”
What makes things worse is that the leak of 20 million accounts is only a part of 39 million users that hackers claim to have hold of. The App Store had previously accused Google of treating unfairly by using Play Protect to put security warning on the app. Aptoide users are recommended to change their passwords.