Alternative Android app store Aptoide has suffered a major data breach

Aptoide, one of the more popular alternative Android app repositories, has suffered a major data breach of more than 20 million user records, ZDNet reports. The breach has since been acknowledged by Aptoide itself in an FAQ-style blog post.

In its blog post, Aptoide reassures users that an internal team is working with data center partners to better understand how its databases were compromised.

Aptoide claims that 97 percent of its users have never actually signed up for an account — downloading apps through the repository does not require any sign-up at all — but the service says it has more than 150 million users worldwide. That 3 percent of users who did sign up for an account is still a few million people.

Aptoide also says it’s the safest alternative app store available for Android. Whether or not that's true, this breach is a reminder that users need to be more vigilant than ever in protecting their own credentials.

Ashamed and apologetic — Aptoide says it really has no idea how someone gained access to its records.

“We feel deeply ashamed and would like to apologize sincerely,” the company said. “The security of our users is a priority for us, and we have always tried to implement policies that make Aptoid a safe environment.”

Aptoide also says it has already hired external companies to audit its infrastructure in the past. The company admits this was not enough and that it is discussing how to better store user data in the future.

Most people are probably fine — Besides the fact that most of its users don’t sign up for an account, Aptoide says those who have signed up by linking a Google or Facebook account are safe despite the breach. That login information isn’t stored in Aptoide’s databases at all. The company says that 32 million people have signed into the app that way.

Users who did sign up with an email address and password are most affected by the breach, though those credentials are encrypted in the database, Aptoide says. The company notes that these could be decrypted with a brute-force attack and reminded users to change their passwords, especially if they've used the same one for other website logins. Device details and dates of birth were also compromised in the breach if users chose to add them.

You’re never safe — Even the most secure-looking websites and other databases can be hacked. Aptoide seems genuinely surprised by the breach, and its users likely are, too.

This is not the first time Aptoide has found itself the subject of some controversy; in 2018 the company found that its app was labeled as unsafe by Google, and that some Android users were being prompted to uninstall it. Aptoide called it a ploy against healthy competition and cited a Japanese study that found Aptoide’s content to be the “safest.”

Aptoide’s reminder to create unique, secure passwords for each site you use is more important than ever. It’s easy to blame companies for failures to keep data safe — but hackers are persistent and adapt to increasingly secure systems by finding new back doors or weaknesses. Even well-trusted institutions like MGM Studios find themselves the subject of these breaches. When it comes to personal data, the best thing you can do is rely primarily on yourself to protect it, well, yourself and a password manager that makes it easy to use different, complex passwords for absolutely everything.