Shared publicly  - 
 
The following communication was sent via email to all the users whose data is involved in the leak. Keep reading after the email for more information.

"Our Security Team recently discovered and blocked suspicious activity on Cerberus servers. The investigation found no evidence that your account was in any way accessed or compromised.

However, the attacker(s) were able to gain access to usernames and encrypted passwords for a subset of our users. No other personal data (emails, device information, etc.) has been accessed.

While the accessed passwords are encrypted, as an extra precaution we have immediately secured these accounts invalidating the current passwords.

Please create a new password by signing into your account at www.cerberusapp.com and selecting the "Forgot password?" option, or go directly here: https://www.cerberusapp.com/forgotpwd.php . Submit the form and you will receive an email with further instructions to set your new password.

After you reset the password, you can verify that no unauthorized commands have been sent to your Android device. Open Cerberus on your device, log in and select the "View Cerberus log" option at the bottom of the app settings.

We sincerely apologize for the inconvenience of having to change your password, we take security of our users very seriously and are constantly working to improve it. 

If you have any questions, please do not hesitate to contact Cerberus Support at support@cerberusapp.com

The Cerberus Team"

Here are some more details on the incident:

- The database was not accessed, password are hashed and uniquely salted multiple times there, and we will migrate to bcrypt soon
- The attacker was able to access a legacy log file that contained usernames and SHA-1 hashes of passwords, that was generated by the app logins between March 1 and March 21
- We have then deleted the log file, stopped the legacy logging procedure, invalidated the passwords for the accounts present into the log and notified the users involved
- A total of 96564 accounts had their password reset and have been notified with the email communication above. These accounts have not been accessed in any way.
- A total of 3 accounts were accessed by the attackers, before we blocked their activity and reset the passwords. Those 3 users were notified before the others with a different email communication.
- As of March 26, none of the data obtained by the attacker was released publicly, that we know of.

We are working closely with law enforcement on this matter, so unfortunately we can’t share any more details at the moment. We will update this post when we have any news.

If you received the email communication and use the same username/password combination for other services, we strongly recommend that you change the password for those services too.

We are deeply sorry for what happened. We have already contacted a security firm and in the next weeks we will do a thorough code audit and security assessment of our infrastructure and procedures.

We are a small team (3 people) and are trying our best to provide a secure service that you can trust to protect your devices and help you recover them if they are lost or stolen.
478
99
Quin R's profile photoVinod Ponmanadiyil's profile photoBaldomero  Martinez's profile photoJose Luis's profile photo
81 comments
 
Thank you for being honest and upfront about the situation. Unfortunately, these types of incidents are too commonplace. What you are doing is right by me as a user. As with anything, I am confident you will learn from this and make the product/service better.
 
Nice communication. Thanks for the details.
 
I can't access my account due to an old email address being used, and as you've reset all passwords I'm stuck.  How do I sort this to my current email?
 
tnks, ma per fortuna mi son salvato hahahah cambiata lo stesso!
Translate
 
thankts +Cerberus to warn us. I don't regret to buy your app. It should always be preinstalled on android's phone!
 
Thanks so much for keeping us informed and properly handling the situation as well as protecting our privacy and information. You've done a fabulous job so far and this communication is more then I can ask for. No worries I'm still a very happy and satisfied customer. That's way more than I can say about some other companies. In any event take care, get some rest and keep allowing me to be safe in the knowledge that should be phone disappear I can make all the data on it disappear as well.
 
Thanks for taking care of us so well, and being so open about what happened. It adds a lot of peace of mind, knowing exactly what happened, and that my data was safe.
 
If can I help you, in any way, please contact as soon as possible, it's a great satisfaction to me improve serious apps like you. And I love to pay a little more dollars to continuously helps to improve and maintain the Cerberus... The best in the market. Hugs and thanks for your professional services and feedbacks. 
frank s
 
Good catch. I hope that your persistence continues and these attacks are thwarted sooner.
 
I use LastPass so they're unlikely to brute force mine, but I'm glad you've done this anyway. Better safe than sorry.
 
I'm completely sure that you will do your best in this matter. I will continue to use Cerberus and sleep well at night, despite what's happened.
I've got no doubt that you will go a long way to prevent something like this to happen ever again!
Thanks for being open and giving the heads up! 
 
second security breach in under 12 months. I will be shopping for alternatives you clearly can not be trusted!!
 
+Tommy Nunno Sadly no one can assure you for being 100% secure in this world. But good luck with your search.. ;-) 
 
I cannot log in nor uninstall in play store since admin rights are needed. I removed by TB. Thanks for the heads up!
 
Mitico. Grande prova di trasparenza nei confronti degli utenti. Cerberus rocks! 
Translate
 
I appreciate the honesty and forthrightness. 
 
Does the salts where also logged with the hash? Otherwise I think we are pretty safe regarding the possibility of compromising the passwords. 
 
Well handled +Cerberus, being so open gives me more confidence in your service, so thanks for that.
 
it happens to the best of us! Keep up the "GOOD" work! I was one that received the email above but as I work in this enviroment and I know how stressfull & painfull a situation like this i was more than satisfied that your company had the guts announcing the hack! This announcement really shows that your company wants to do more and are not playing around! I recommended your software to 3 people that bought the licence and i'm not sorry!  Please keep ahead the good work, keep the sw light with need features and the software will get to top!
 
Would 2-factor auth help prevent this being a problem?
 
With all the accounts you hold, they got just 3? Good job!! Confidence restored :D
 
All too often a company gets hacked and they release only the most basic information. Your frank and detailed communications on this matter and admirable and most welcome. Though could you please confirm if the hackers had access to the salts along with the hashes?
 
Can you add two factor Auth linked to mail so we can have a bit better security than just passwords? 
 
The last month everytime I restart my phone I get a message from Cerberus with my current location and detect a lot of traffic from my mobile tracker, do this have something to do with it?

Since today the traffic of the tracker it's going down. 
 
Thank you guys for having such an awesome service that truly protects my phone! Cerberus will be on my phone and coming phones.
 
+Cerberus do a hacker challenge(reward people that help find and fix exploits) to hack ur service and then have them tell you how they did it and how to fix it
 
+Cerberus - you're fortunate that it was only a few accounts, but please start using a proper KDF - like scrypt - that's suitable for password storage.

An external audit is definitely a good idea too.
 
No email received, so I'm fine I assume? 
 
+Dan Da Costa you should change your password anyway and any password that was the same as that one 
 
Clear honest and upfront. Can't ask for more. Thankyou
 
Yo soy un afectado y he tenido que cambiar mi password. Cago en la puta.
Translate
 
la password deve essere cambiata su ogni dispositivo?
Translate
 
Desde su pagina web y desde un ordenandor, desde el movil no me dejaba.

Salu2
Translate
 
+Cerberus Thanks for providing us with information on the breach. I'd really like to see Two-Step Verification added for your website with Google Authenticator. 
 
+Adie Stainton
Hello Adie
I'm exactly in the same situation as yours:
I can't remember the old e-mail address I registered with
so I can't do anything to reset my password
and I wonder where Cerberus will send the "how to" reset link
It's very frustating
I haven't received any information from Cerberus yet
Could you tell me when it is OK for you?
I'll do the same if it's OK for me
Cheers
 
Like others, I appreciate the announcement and open approach you have taken with this incident.  In fact, is was so open that I initially suspected it was a phishing scam of some kind.  Having seen the announcement in multiple places has reassured me that this is not a phishing scam.
 
Thank you for your honest explanation of what happened and further instructions on what to do. Hope you will be able to solve all of the issues and will make Cerberus more secure. 
 
Great work guys. +1 for your hard work.
 
I have a question what should we be looking for in the logs where you guys posted :
"After you reset the password, you can verify that no unauthorized commands have been sent to your Android device. Open Cerberus on your device, log in and select the "View Cerberus log" option at the bottom of the app settings."     
 
So, if my username/PW still work, and I didn't receive an email, then my account is OK?
ZeN KuN
 
amazing, like others i appreciate the honesty, for me wasnt a big deal change my password :)
 
+Cerberus Great job on openness!  Thanks for being up front.  trust of Cerebrus +1
 
+Cerberus thx for being honest, and more thank for the quick action on this. And maybe it's time to implement a two ways authentication for better protection. ;) 
 
How about a log to see what commands have been used?
Simon W
+
1
2
1
 
You are great cerberus team! Thanks for letting us know!
 
hi cerberus. I have problems to login, my user id and password not exist, i haven't receive your email. please if you can help me, thanks
 
Done, Thanks for the heads'up!
 
I now understand why the program is malfunctioning. thanks for the honesty
 
Thanks for the openness and transparency. One complaint about the communication is that the email provided the urls to reset the password. If there's one thing about phishing it's that you never should click urls in emails that ask you to provide login credentials!
 
Done, Thanks Cerberus for the heads'up!
 
I stopped using cerberus a long time ago. The data breaches and lack of development were the cause.
 
Good response. However, I would like to know if those phones were accessed using the software prior to resetting their passwords?
Email notification is ok but Did the hackers use the software to get data?
 
It's good that you did that. Still sucks you blocked some of the best features of your product. 
Translate
 
First of all, thanks to everyone who is supporting us!

People who are experiencing issues, like an old/wrong email associated with your account: please write an email to support@cerberusapp.com specifying your username, so we can assist you better.

Regarding the 2-step authentication, we are thinking about it. The problem is that you have to be able to log into the website if your device is stolen, so 2-step auth should not be tied to an app on the device or phone number.

Perhaps it was not clear in the post, but the log retrieved by the attacker contained plain SHA-1 hashes of the passwords, not salted. That's why we invalidated the passwords and suggested affected users to change the password for other services where they might use the same user/pass combination.

To people who ask how they can view the log, just open the app on your device, log in, then select "View Cerberus log" at the bottom of the app settings. Check if there are any commands received that you did not send.
Translate
 
another one??
my username and password dont work any more... get this off my phone please.
 
Are the passwords now being hashed and salted? I want to make sure this doesn't happen again!
 
no puedo entrar a mi cuenta, compre la aplicación, acaso me la robaron?
Translate
 
Great app. A multitude of functions and the possibility to hide the application in the menu deserves +
 
I understand you, but this is pretty serious, as an attacker with an account can remotely wipe my phone...
 
I believe tooyou have been hack again. Last time when you been hack my phone register every turn on and off and send it to me by mail (this doesn't happend before ), and this week it started again. 
 
I dont understand someone hacked on your phone for these applications?
Translate
Add a comment...