Dear Aptoide Community,
We come to you with an update on the Aptoide database leak.
The team is working with our data center partners in a forensic analysis of how the Aptoide database was compromised.
In parallel, all possible access to our infrastructure from outside was limited, which can cause some changes in the service.
No sign-up, logins, reviews, or comments are possible until we have a total clarification of what happened.
I use Aptoide. Am I impacted by this breach?
Probably not. Since you are not required to create an account at Aptoide to use it, 97% of Aptoide users have never signed up.
In that case, you are not impacted at all. There is no information on the databases for the users that didn't sign up.
I have created an account at Aptoide. Am I impacted by this breach?
In case you are in the 3% of the users that have created an account to make a comment or a review, your email address will be in the database, as well as the IP and user agent of the last login.
The table has a birthday field and name but was not filled out when you signed up through the Android application. Only if you signed up through the web site to access dashboards.
I have signed up with a Google Account or a Facebook Login (32M of the 49M Aptoide user accounts), was my encrypted password in the database?
No. Although your email address, IP and user agent was stored, there are no references to your password in the database - if you are one of the 32M users that signed up with FB or Google login.
There is an entry in the "password" but it is just random characters.
I have signed up and created an account using email validation. Is my password available?
If you are one of the 8.8M users that signed up using your email address, your password is kept encrypted using the SHA-1 cypher in the database.
Although the attack on SHA-1 is possible, it takes a long time to do it in a pure brute force attack.
However, you should not consider your password secure. If you used a dictionary word or an easy password, your password may be reversed.
If you use a shared password with other sites, you should change the password in those sites as well.
Are there any credit cards, social security / ID, or phone numbers in the database?
No. Aptoide never stored any credit card, payment information, social security, or phone numbers in the database.
Can I reset my password?
No need for that. All the passwords are reset once the login is resumed.
How can I remove my account from Aptoide?
Please send an email to support@aptoide.com, and we will process your request.
When will sign up / login in Aptoide be available again?
We will not open the login / sign up until we have guarantees that the user information is safe with us. It may take some time, as we will need to evaluate the possible points of failure.
The team has already performed part of the analysis and will take the next days to cover all the possible aspects.
How could this happen?
We are working tirelessly to understand how this happened and already have a few leads. We feel deeply ashamed and would like to apologize sincerely. The security of our users is a priority for us, and we have always tried to implement policies that make Aptoide a safe environment.
Besides continuous training, we have hired external companies to audit our infra-structure and perform penetration testing. It was not enough, though. We have failed to keep some of the user data safe.
Besides providing updated information as we have it, we will also have an internal discussion on how to better store and protect user data moving forward.