Major data breach exposes Keenetic router users' sensitive information

Keenetic, a network equipment vendor with offices in Turkey and Germany, has confirmed a data breach affecting users of its mobile application who registered before March 16th, 2023. The incident, which originated from unauthorized access to the Keenetic Mobile App database, has potentially exposed sensitive network configurations, credentials, and personal information of over one million users, primarily in Russia.

The security vulnerability was initially discovered on March 15th, 2023, when an independent IT security researcher informed Keenetic about potential unauthorized access to their mobile app database. While the company claims to have immediately addressed the issue that same day, recent developments suggest the data may not have been properly destroyed as previously believed.

On February 28th, 2025, Keenetic learned that database information had been disclosed to an independent media outlet (Cybernews), indicating that the data might now be beyond their control despite previous assurances from the researcher.

According to information provided to Cybernews researchers, the leaked data includes:

• 1,034,920 records with extensive user data, including:
  • Email addresses
  • Names
  • Locale information
  • Keycloak identity management system IDs
  • Network Order IDs
  • Telegram Code IDs
• 929,501 records containing detailed device information, including:
  • WiFi SSIDs and passwords in plain text
  • Device models
  • Serial numbers
  • Interfaces
  • MAC addresses
  • Domain names for external access
  • Encryption keys
• 558,371 device configuration records, including:
  • User access details
  • Vulnerable MD5-hashed passwords
  • Assigned IP addresses
  • Expanded router settings
• Over 53,869,785 comprehensive service logs containing:
  • Hostnames
  • MAC addresses
  • IP addresses
  • Access details
  • "owner_is_pirate" flags

The majority of affected users appear to be from Russia (943,927), with smaller numbers of English-language (39,472) and Turkish-language (48,384) users also impacted.

The breach poses several significant security risks:

• Plain text WiFi passwords and encryption keys grant attackers immediate access to affected networks
• Admin credentials allow full administrative privileges to manipulate settings or install malicious firmware
• Exposed domain names enable remote connections to vulnerable networks
• Detailed service logs with usage patterns could be exploited for blackmail, extortion, or targeted scams
• Connected devices (PCs, smart TVs, IoT devices) become vulnerable to monitoring, data theft, or control
• Personal information could be used for phishing attacks, social engineering, and identity theft

Keenetic has released an advisory urging affected users to change Keenetic device user account passwords, WiFi passwords as well as VPN-client passwords/pre-shared keys for PPTP/L2TP, L2TP/IPSec, IPSec Site-to-Site, and SSTP

The company maintains that the risk of fraudulent activity is low and notes that payment card details, banking information, and certain VPN configurations (including Wireguard VPN tunnels and OpenVPN data) were not affected.

Keenetic has notified relevant data protection authorities and claims to have "taken all necessary actions to prevent a similar situation in the future."

Keenetic, which began as a spinoff from Zyxel in 2017, has been working to distance itself from its Russian roots following the invasion of Ukraine in 2022. The company relocated its software team from Russia to Germany after warnings from the German cyber authority BSI about using Russian software.

Evidence suggests the exposed server was likely managed by NDM Systems, a Russia-based software developer that collaborated with Keenetic. As of March 1, 2025, Keenetic discontinued its mobile application and remote monitoring system in Russia, forcing users to switch to a new app called Netcraze.