PSA: Cerberus breach prompts network-wide password reset

cerberus_logo_g+

Do you use Cerberus, an Android app and service to help find and track your lost or stolen smartphone? You’ll want to head over to your account right now and change your password, as the company has revealed an unfortunate breach that may have given perpetrators access to your accounts.

An email sent to Cerberus subscribers tells us that username and encrypted passwords have been compromised. Thankfully no other account information was revealed the hackers, including email addresses and any personal information that may have been tied to the account.

And since the passwords were stored in an encrypted format, the hackers likely couldn’t do anything with the information they obtained — in fact, Cerberus believes only three accounts were broken into.

Regardless, Cerberus wants to make sure everyone has peace of mind by prompting users to reset their passwords. You won’t be able to login with your existing password to do this. Simply go to the site’s “Forgot Password” form here to get it going. Once you do that, Cerberus says it’s a good idea to log into your account and check your account logs to make sure no suspicious activity has taken place (such as someone requesting a location or trying to sound the phone’s alarm).

Here’s a more detailed breakdown of what occurred with this incident:

  • The database was not accessed, and passwords are hashed and uniquely salted multiple times there. The hackers likely couldn’t access the accounts.
  • - The hacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords that were generated by the app logins between March 1 and March 21
  • They then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present in the log and notified the users involved
  • A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
  • A total of 3 accounts were accessed by the attackers, but Cerberus immediately blocked access to those accounts and reset their passwords. Those 3 users were notified before the others with a different email.
  • As of March 26, none of the data obtained by the attacker is believed to be released publicly.

That’s the skinny of it, folks. These things happen, and it’s unfortunate when they do, but the most you can ask for is that the developers are responsible enough to provide proper communication and take necessary measures to ensure everyone is protected. That’s exactly what Cerberus did.

cerberus banner

Of course, they’ll be looking into ways to improve their security even more down the line to make sure someone like this isn’t commonplace, and have already contacted security experts for a systems audit to see where and how they can improve.

[via Google+]

Continue reading:

TAGS:



  • rageboardr

    Is Cerberus still relevant, now that we have Android Device Manager.

    • El Presidente

      I’ve found Cerberus much more reliable at tracking my devices than ADM.

      Plus, I like the additional features Cerberus offers like the pic/video capture etc.

    • Michael Quinlan

      The primary feature ADM lacks for me is the ability to track devices other than my own (I.e. those of family members). Additionally, features of Cerberus not available in ADM include control via SMS, remote unlocking, and reacting to failed unlock attempts.

      • rageboardr

        On the computer you can track multiple devices. I have five that I watch, and can wipe. But right on for the extra features if you need them.

  • Joshua Patrick

    I agree with everyone below. This was handled correctly and I am a proud user of Cerberus well worth the money!!! And about Android Manager its a great step but does not have all the features that Cerberus has.

    • KOLIO

      You mean you agree with the CERBERUS Shills that have posted virtually identical favorable comments?
      Nice…….

      • Michael Quinlan

        I’ve been a Cerberus user for years, and while I am displeased with the fact that they were hacked in the first place, I am pleased with their response. That said, I find the identically worded comments from RossAgart and Jason Yuen suspect at best. If similar comments appear here or elsewhere, I’ll likely end up thinking LESS of the Cerberus team.

      • Wozn2

        There are some suspicious similarities between a few of the comments. Shame on you Cerberus!

  • Craig Becker

    what a joke.

  • BrandoHD

    This article has some gross inaccuracies

    The writer would do more justice to properly research something before he writes an article on it, this site is already late with this news, it’s really bad to be late and wrong

    To clear things up, it is not a network wide password reset, only a few accounts were compromised and all those compromised account holders were sent emails to reset their account password, other users were unaffected by this breach

    • No_Nickname90

      Isn’t he saying that in the “More Details” section?