Share this Story

Cerberus Acknowledges Data Breach, States Some Usernames and Encrypted Passwords Stolen

If you are committing to an anti theft software, you would think that the last thing on your mind would be the security of the information held by that company. The three-person team behind Cerberus, a popular anti theft application for Android, revealed today that a data breach caused usernames and passwords (encrypted, thankfully) to be stolen by hackers. 96,564 accounts have had their passwords reset, so this isn’t some small scale hack we’re talking here.

Cerberus goes on to inform users via their email by stating that no personal information other than what is stated above was accessed, including email addresses. They strongly noted that “These accounts have not been accessed in any way.

Users are also told to go here to reset their passwords as soon as possible, and to verify that no unauthorized instructions were sent to your Android phone or tablet while your account was vulnerable.

Only three accounts have actually been accessed by the hackers, but if you are unfortunate enough to be one of those three, know that your activity was blocked and your password reset. As of March 26, none of the data obtained by the attacker was released publicly, that they know of.

The full email sent out to users is down below:

Our Security Team recently discovered and blocked suspicious activity on Cerberus servers. The investigation found no evidence that your account was in any way accessed or compromised.

However, the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed.

While the accessed passwords are encrypted, as an extra precaution we have immediately secured these accounts invalidating the current passwords.

Please create a new password by signing into your account at www.cerberusapp.com and selecting the “Forgot password?” option, or go directly here: https://www.cerberusapp.com/forgotpwd.php . Submit the form and you will receive an email with further instructions to set your new password.

After you reset the password, you can verify that no unauthorized commands have been sent to your Android device. Open Cerberus on your device, log in and select the “View Cerberus log” option at the bottom of the app settings.

We sincerely apologize for the inconvenience of having to change your password, we take security of our users very seriously and are constantly working to improve it.

If you have any questions, please do not hesitate to contact Cerberus Support at [email protected]

The Cerberus Team

For more, check out their Google+ post on the matter.

Via: +Cerberus
  • mustbepbs

    This is why I don’t use stuff like LastPass. It’s only a matter of time before that safe gets cracked.

  • JackMeOffski

    If you use these kind of apps to keep track of all your passwords you’re a moron!!

  • Bryan

    Besides other accounts with the same user id and password, I would be more concerned about how deep they got into Cerberus servers. If they are able to start sending commands remotely to your phone, they might be able to get malware onto the phone without you knowing it. This would be the bigger target for today’s hackers. The shift has been from PC to mobile and the malware writers are trying to find ways of getting mobile malware installed on your phone so they can get things like two factor auth codes (i.e. SMS from your bank) or grab your credentials when you log in to sites from your mobile device.

    One of the Cerberus functions is the ability to send SMS messages. They might be able to somehow send an SMS to tell your phone to visit a drive by malware site or do something else that they want. I don’t use Cerberus, but who knows what else they can do if they have control of Cerberus servers.

    Just a message from your friendly infosec professional.

  • Ryan

    I’ve already seen this on Android Police before it was posted here, but it is good to know that hopefully all the top android sites are reporting this. I already reset my password soon as I read the article. I didn’t get the email, but better to be safe than sorry; especially with an application like Cerberus.

  • Jason Smith

    Hope you guys also realize that means you should reset any other account’s password that has the same password as your Cerberus account. Not that you should be sharing passwords between accounts, but I know it happens – I even do it for accounts i don’t care about.

    • JoshGroff

      I have a set password for accounts that aren’t important, just makes it easier to remember.

  • DangerZone

    Thanks DL. I love cerberus, it helped me discover my wifes affairs.

    • The Narrator

      That’s why you don’t get married buddy

    • How…?

  • Silver Veloz

    Thanks DL. Just reset my password. Nothing fishy on the account.

  • droidrazredge

    Going to reset my password and check my logs! Thanks DL for doing an article about this I would have never known about this. It’s also good to see this company take actions quickly to minimize damage and help the users of their app.

  • KleenDroid