Hackers hid malicious code in popular CCleaner software

Avast-owned Piriform, which makes the computer-cleaning program, says no harm was done to any users but encourages people to check which version they have.

Katie Collins Senior European Correspondent
Katie a UK-based news reporter and features writer. Officially, she is CNET's European correspondent, covering tech policy and Big Tech in the EU and UK. Unofficially, she serves as CNET's Taylor Swift correspondent. You can also find her writing about tech for good, ethics and human rights, the climate crisis, robots, travel and digital culture. She was once described a "living synth" by London's Evening Standard for having a microchip injected into her hand.
Laura Hautala
Laura Hautala
Laura Hautala Former Senior Writer
Laura wrote about e-commerce and Amazon, and she occasionally covered cool science topics. Previously, she broke down cybersecurity and privacy issues for CNET readers. Laura is based in Tacoma, Washington, and was into sourdough before the pandemic.
Expertise E-commerce, Amazon, earned wage access, online marketplaces, direct to consumer, unions, labor and employment, supply chain, cybersecurity, privacy, stalkerware, hacking. Credentials
  • 2022 Eddie Award for a single article in consumer technology
Katie Collins
Laura Hautala
3 min read

The free version of CCleaner is downloaded millions of times a week.

Sergei Konkov/Getty

Hackers penetrated computer-optimization software CCleaner in a way that could have let them control millions of devices, Piriform, the company that makes the program, said Monday.

A malicious program was planted inside the popular, free software, which is downloaded as often as 5 million times per week and is used to delete cookies and junk programs to make computers and Android phones run faster.

Piriform said it estimates that 2.27 million people used the infected software, but sought to calm consumers who might be inclined to panic. The company is now owned by Czech Republic-based antivirus company Avast.

"We resolved this quickly and believe no harm was done to any of our users," Piriform said in a statement. In a blog post Tuesday, Avast executives Vince Steckler and Ondřej Vlček wrote that while about 730,000 CCleaner users still have the infected version of the software on their computers, the malicious software has been disabled, so no one is at risk anymore.

It's just the latest episode in the unsettling saga of vulnerable computers. Last week a security company flagged a flaw that could let malware hit more than 5 billion Bluetooth devices, and Google purged its Play Store of millions of dangerously compromised apps. In May and June, ransomware attacks locked up computers around the world, demanding payment from people and companies in return for renewed access.

This hack shows that even software updates from trusted brands can be bad news. It's also ironic, because one of the best ways to keep your devices safe from hackers is to keep your software up to date. Usually.

The hackers were able to infiltrate the CCleaner program and insert malicious code at some point while Piriform software developers were creating the new version of the program. As a result, the code was signed by a digital certificate meant to guarantee it came from a legitimate CCleaner software developer. For regular users of CCleaner, there was no reason to distrust the software update that contained the bad code.

"It's a powerful attack for sure," said Tod Beardsley, a forensic security expert at cybersecurity firm Rapid7. "If I trust whoever's giving me updates, then I trust the updates are good."

Avast, the Czech Republic-based security software maker that bought Piriform in July, uncovered the CCleaner attack on Sept. 12. Two versions of the software released in August were affected, the company said.

Piriform advised people with CCleaner v5.33.6162 or CCleaner Cloud v1.07.3191 installed on their machines to delete them and download new versions as soon as possible. The software doesn't update automatically. 

"We are continuing to investigate how this compromise happened, who did it, and why," Piriform said. "We are working with US law enforcement in their investigation."

First published Sept. 18, 6:04 a.m. PT.
Update, Sept. 18, 2:15 p.m. PT: Adds more information and comment from Rapid7's Tod Beardsley.
Update, Sept. 19, 2:15 p.m. PT: Adds new information from Avast. 

The Smartest Stuff: Innovators are thinking up new ways to make you, and the things around you, smarter.

iHate: CNET looks at how intolerance is taking over the internet.