Aptoide users’ email addresses and hashed passwords have been leaked

The email addresses and hashed passwords of 20 million users of download store Aptoide have been published on a hacker forum. The person in question claims to have data from 39 million accounts in total. Aptoide confirms the data breach.

Aptoide, an alternative download store for Android apps, reports in a blog that there are 8.8 million accounts where the user has signed in with an email address and password. That data has come into the hands of third parties. The passwords are hashed using the sha-1 algorithm, which has not been considered very secure for years. There would also be no salt on the passwords.

The download store indicates that affected users should now consider their passwords insecure. With a brute force attack it is possible to crack the passwords. This can take a long time, but if the password is common or consists of a word from the dictionary, it is relatively easy.

Aptoide has a total of 49 million accounts. Of these, 32 million users log in with their Google or Facebook account. Of those users, only the email address is in the leaked database. There is also a password field in the database for those users, but that contains random characters, the download store says. The leaked database has been added to the data leak search engine Have I Been Pwned.

Aptoide does not yet know how the database came into the hands of third parties, but says it has clues. With data center partners, the company is trying to find out what happened. Until then, the database has been locked. As a result, it is not possible to register, log in and post reviews or comments. That functionality will be reactivated when everything has been clarified. No account is required to download apps from the Aptoide download store.