Hackers have compromised popular file cleanup tool CCleaner and may have been using it to inject malware into potentially millions of home personal computers over the last month.

Piriform Ltd., the maker of CCleaner, confirmed in a blog post today that certain versions of the software were compromised with a hidden backdoor that may have allowed hackers to harvest data from users.

Paul Yung, vice president of products at Piriform, said that the company identified “suspicious activity” on Sept. 12, when it found that an unknown IP address had been receiving data from software in the 32-bit versions of CCleaner and CCleaner Cloud. After further investigation, Piriform discovered that the program had been “illegally modified before it was released to the public,” meaning that users who downloaded the CCleaner installer from the official website were actually receiving a compromised version of the software.

Yung assured users that the vulnerability has been fixed and that the rogue server has been taken down. He added that “to the best of our knowledge, we were able to disarm the threat before it was able to do any harm.” According to Yung, law enforcement is also working to identify the attacker.

Cisco Talos, who first spotted CCleaner’s vulnerability before informing Piriform, said that the compromised software may have already affected millions of users, and the extent of the damage done by the attack is still unclear. According to Talos, this method of attack can be particularly harmful to software companies.

“This is a prime example of the extent that attackers are willing to go through in their attempt to distribute malware to organizations and individuals around the world,” Cisco Talos said in a blog post outlining the attack on CCleaner. “By exploiting the trust relationship between software vendors and the users of their software, attackers can benefit from users’ inherent trust in the files and web servers used to distribute updates. In many organizations data received from commonly software vendors rarely receives the same level of scrutiny as that which is applied to what is perceived as untrusted sources.”

CCleaner Cloud users have already received an automatic update that removes the vulnerability, but Piriform advises all other users to update CCleaner to version 5.34 or higher if they have not already done so.

“The news that CCleaner has been backdoored with the Floxif malware is another reminder about how vulnerable organizations are to the software supply chain and users accidentally introducing malicious software,” James Maude, a senior security engineer at the privilege management firm Avecto, said in an email. “It is critical that organizations regain control of the applications that users are able to introduce with application whitelisting and limit the ability to inflict damage by removing admin rights.”

Photo: Visual Content Data Security via photopin (license)