Mac app developer Steven Frank of Panic, Inc. announced on the company blog that, through an incredible run of bad luck, he managed to download an infected copy of Handbrake during the three day window it was hacked and infected by malware. Panic is the maker of Coda, Transmit, Prompt, and Firewatch.
Popular video transcoder Handbrake had posted a security warning that its program was hacked. Anyone that downloaded Handbrake between May 2 and May 6 were told to verify the app is not infected by a trojan. Unfortunately, Frank got that trojan.
In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned.
Frank clarifies that no customer information was stolen, no sync data from Panic was accessed, and their web servers were not compromised. Additionally, Frank reminds us that Panic never stores credit card numbers and Panic Sync data is encrypted so that even the company can't access it.
Frank details the number of mistakes he made, which ultimately led to downloading the malware onto his computer.
I managed to download ... an in-retrospect-sketchy authentication dialog, without stopping to wonder why HandBrake would need admin privileges, or why it would suddenly need them when it hadn't before. I also likely bypassed the Gatekeeper warning without even thinking about it, because I run a handful of apps that are still not signed by their developers. And that was that, my Mac was completely, entirely compromised in 3 seconds or less.
Through the downloaded malware, the attackers were able to steal Panic's GitHub credentials and used them to clone sever of the company's source code repositories.
The attackers sent an email to Panic with a demand for a "large bitcoin ransom to prevent the release of the source code."
They didn't pay. Instead, Panic contacted the FBI and Apple directly. Apple helped the dev team and quickly dispatched a security team to address the issue.
The right people at Apple are now standing by to quickly shut down any stolen/malware-infested versions of our apps that we may discover.
Panic requests that, if anyone comes across an unofficial version of its apps to get in touch.
Frank reminds everyone to only download apps directly from the Mac app store or from official sources to avoid downloading malicious content. He also reminds us how important it is to be aware of our download activities.
I kick myself every day for not paying attention to what I was doing; the tells were obvious in hindsight. It's a good reminder though — no matter how experienced you might be with computers, you're human, and mistakes are easily made. And even though this doesn't affect our customers directly, we want to apologize that we're even having to have this discussion with you.
Keep yourself secure on the web
Main
- How to use two-factor authentication
- How to protect your data from being hacked
- How to quickly temporarily disable Face ID
- Best practices for staying safe on social media
- Best VPN services
- How to lock down your data on iPhone and iPad
- Best ways to increase iPhone and iPad security
- How to back up your iPhone, iPad, and Mac
- Differential privacy — Everything you need to know!

This ultra-rare Apple computer just sold for $468,750
An Apple-1 computer hand-numbered by Steve Jobs has sold at auction for $468,750.

iOS gaming recap: Drop into the Disney Mirrorverse and more from Netflix
This week in the iOS gaming world, Netflix made some more big moves to bring a beloved game to mobile, while Disney is doing more multiverse madness.

Review: This ZAGG Apple Watch band is a good Braided Solo Loop dupe
We love the Apple Braided Solo Loop, but that $99 price tag can be hard to swallow if you want multiple colors. Thankfully, ZAGG has a good alternative that costs half of that.

All the security cameras that support Apple's HomeKit Secure Video
HomeKit Secure Video-enabled cameras add additional privacy and security features like iCloud storage, face recognition, and Activity Zones. Here's all of the cameras and doorbells that support the latest and greatest HomeKit features.