HandBrake hack affects Mac app developer Panic

Mac app developer Steven Frank of Panic, Inc. announced on the company blog that, through an incredible run of bad luck, he managed to download an infected copy of Handbrake during the three day window it was hacked and infected by malware. Panic is the maker of Coda, Transmit, Prompt, and Firewatch.

Popular video transcoder Handbrake had posted a security warning that its program was hacked. Anyone that downloaded Handbrake between May 2 and May 6 were told to verify the app is not infected by a trojan. Unfortunately, Frank got that trojan.

In a case of extraordinarily bad luck, even for a guy that has a lot of bad computer luck, I happened to download HandBrake in that three day window, and my work Mac got pwned.

Frank clarifies that no customer information was stolen, no sync data from Panic was accessed, and their web servers were not compromised. Additionally, Frank reminds us that Panic never stores credit card numbers and Panic Sync data is encrypted so that even the company can't access it.

Frank details the number of mistakes he made, which ultimately led to downloading the malware onto his computer.

I managed to download ... an in-retrospect-sketchy authentication dialog, without stopping to wonder why HandBrake would need admin privileges, or why it would suddenly need them when it hadn't before. I also likely bypassed the Gatekeeper warning without even thinking about it, because I run a handful of apps that are still not signed by their developers. And that was that, my Mac was completely, entirely compromised in 3 seconds or less.

Through the downloaded malware, the attackers were able to steal Panic's GitHub credentials and used them to clone sever of the company's source code repositories.

The attackers sent an email to Panic with a demand for a "large bitcoin ransom to prevent the release of the source code."

They didn't pay. Instead, Panic contacted the FBI and Apple directly. Apple helped the dev team and quickly dispatched a security team to address the issue.

The right people at Apple are now standing by to quickly shut down any stolen/malware-infested versions of our apps that we may discover.

Panic requests that, if anyone comes across an unofficial version of its apps to get in touch.

Frank reminds everyone to only download apps directly from the Mac app store or from official sources to avoid downloading malicious content. He also reminds us how important it is to be aware of our download activities.

I kick myself every day for not paying attention to what I was doing; the tells were obvious in hindsight. It's a good reminder though — no matter how experienced you might be with computers, you're human, and mistakes are easily made. And even though this doesn't affect our customers directly, we want to apologize that we're even having to have this discussion with you.