Users of Keenetic routers, mainly in Russia, have been exposed in a major data leak revealing sensitive credentials, device details, network configurations, and logs. With this information, hackers can directly connect and overtake affected networks. However, the vendor estimates the risk of fraudulent activity to be low.
The Cybernews research team has obtained an anonymous tip, along with samples and other information, confirming the exposure of Keenetic users.
Keenetic acknowledged the incident and explained that on the morning of March 15th, 2023, an independent IT security researcher informed them about the possibility of unauthorized access to the Keenetic Mobile App database.
“After verifying the nature and credibility of the risk, we immediately resolved the issue on the afternoon of March 15th, 2023. The IT security researcher assured us that he hadn't shared any data with anybody and destroyed it. Since then, we had no indication that the database was compromised or any user was affected until the end of February 2025,” Keenetic said in a statement.
What did the anonymous source say?
Cybernews researchers were provided with samples of exposed data via an anonymous email. The researchers confirmed that the leak includes everything from WiFi passwords and router configurations to detailed service logs. Malicious actors with exposed sensitive keys could infiltrate home and business networks.
“The massive data exposure includes administrative credentials, extensive user data, WiFi details, device-specific settings, and network details. The incident poses severe privacy and security risks for the affected people,” Cybernews researchers warn.
“Attackers with access to these details could infiltrate affected networks, monitor or intercept traffic, and compromise additional connected devices.”
The numbers of exposed records, as claimed by the anonymous source, were as follows:
- 1,034,920 exposed records with extensive user data: emails, names, locales, Keycloak identity management system and Network Order IDs, and Telegram Code IDs.
- 929,501 leaked records contain detailed device information: WiFi SSIDs and passwords in plain text, device models, serial numbers, interfaces, MAC addresses, domain names for external access, encryption keys, and much more.
- 558,371 device Configuration records: user access details, vulnerable MD-5 hashed passwords, assigned IP addresses, and expanded router settings.
- Comprehensive service logs containing over 53,869,785 records: hostnames, MAC addresses, IPs, access details, and even “owner_is_pirate” flags.
Cybernews immediately informed Keenetic about potential data exposure. The company swiftly released an advisory for Keenetic mobile app users, urging them to change the following passwords and pre-shared keys:
- Keenetic device user account passwords
- WiFi passwords
- VPN-client passwords/pre-shared keys for PPTP/L2TP, L2TP/IPSec, IPSec Site-to-Site, SSTP
Keenetic did not confirm or deny the numbers before publishing, and there is no other way to check if they’re correct.
The firm however said that the leak affects Keenetic Mobile App users “who registered before March 16th, 2023.”
What did the company say about the leak?
Keenetic estimates that there’s a low risk of fraudulent activity.
“A limited number of database fields were accessible: Keycloak IDs, emails (logins) and names of Keenetic accounts, locales; device user account configurations, including MD5 and NT password hashes; network interface configurations, including WiFi SSIDs and preshared keys; custom KeenDNS names; WiFi channel settings, roaming IDs and keys; IP policy and traffic shaping settings; remote peer addresses, logins and passwords of VPN clients, assigned IP addresses, names and MAC addresses of registered hosts; IPsec site-to-site configurations; IPsec Virtual-IP server configurations; DHCP pool settings; NTP settings; IP and MAC access lists,” Keenetic confirmed.
Keenetic also said it doesn’t collect, store, or analyze payment card details or related credentials, transactional data, banking details, or banking passwords. Thus, such data is not affected.
“To our best knowledge, no other data has been accessible. In particular, RMM data, Keenetic account data, private keys and configurations of Wireguard VPN tunnels, and OpenVPN data were inaccessible.”
What else we know about the leak: ties to Russian developers
The major security incident likely happened in March 2023, when a misconfigured server, exposing cloud backups for router configuration and other files, was discovered.
Further Cybernews investigation indicates that the exposed server was most likely managed by NDM Systems, a Russia-based software developer collaborating with Keenetic.
NDM Systems, based in Russia, was a key software partner for Keenetic, providing development and maintenance services for router firmware and associated platforms. Feature-rich Keenetic routers use cloud management solutions for integration, backup, remote updates, and other advanced networking features.
It is unclear who might have access to the data, who leaked it, or whether it is still available anywhere. The source was anonymous, and there have been no other public exposures to date.
Most of the exposed users seem to be from Russia: the locale data, according to the anonymous tip, shows at least 943,927 Russian-language users, 39,472 English-language users, and 48,384 Turkish-language users.
Keenetic is cutting its Russian roots
Keenetic is a network equipment vendor. It was a spinoff from Zyxel and has been independent since 2017. Keenetic equipment used to rely on software from Moscow-based NDM Systems.
However, after the start of the Russian invasion of Ukraine in 2022, the German cyber authority BSI warned against using Russian software. Keenetic released a statement strongly opposing the war and said it decided to relocate its software team from Russia to a new company in Germany.
The Russian version of the Keenetic website and some support pages in English list the company as a Moscow-based Netcraze (ООО Неткрейз). The company had 47 employees in Russia, and its revenues grew by 47% in 2023 to around $33 million (2.9 billion rubles).
According to public registries, NDM Systems' revenues remained almost unchanged at around $2 million (165 million rubles) in 2023. The company had 47 employees. As of today, it’s unclear if NDM System remains the vendor for KeeneticOS.
Starting March 1, 2025, citing legislative changes, Keenetic discontinued its mobile application and remote monitoring system in Russia, forcing users to switch to a new app called Netcraze, according to local media.
Cybernews couldn’t find public data on Keenetic GMBH employees in Germany. On LinkedIn, over 200 users from around the globe, including Russia, Germany, and many other countries, list Keenetic as their employer.
The majority (70%) of publicly discoverable Keenetic routers are in Russia, followed by 14% in Ukraine, and 5% in Turkey, according to the Shadowserver Foundation data.
Significant risks: plain text passwords are hackers’ dream
The Cybernews Research team recommends that all Keenetic users who have not changed credentials in the last two years follow the company’s advice.
“This incident highlights the importance of secure development and hosting practices within supply chains. All vendors, including Keenetic, and their development partners, need to implement stringent data protection protocols, as this leak painfully demonstrates,” they said.
The leak is a trove of plain text WiFi passwords and other keys, giving potential attackers direct and immediate access to affected wireless networks. Some of the sensitive data, such as WiFi SSIDs, passwords, and WPA PSKs were stored in plain text. User account passwords were hashed with deprecated MD-5 algorithm susceptible to brute-force attacks.
“Leaked admin credentials grant full administrative privileges, and can be used to manipulate settings or install malicious firmware. Hackers can use exposed domain names to connect remotely. No cracking or sophisticated techniques are needed to connect and obtain full access to the local networks,” the researchers explain.
Once inside a local network, attackers can eavesdrop on traffic, harvest additional credentials, or compromise other devices.
The researchers warn that potential malicious actors with access to the user’s router can attempt DNS hijacking and redirect web traffic to malicious sites.
Detailed service logs with usage flags, such as if the user is a pirate, can be further exploited for blackmail, extortion, or targeted scams, as they provide deep insights into user profiles and behaviors.
“PCs, smart TVs, IoT sensors, laptops – any connected devices – are also at risk, as attackers can monitor traffic, steal data, or even control these devices.”
“If hackers get their hands on the data user data, it can also be used in phishing attacks, social engineering, and identity theft. It is likely that many of the routers can be compromised for malicious botnet activities,” the researchers said.
Reconsider if you need unencrypted cloud backup
Cybernews researchers recommend Keenetic users immediately change WiFi names (SSIDs), passwords, and router admin passwords, and reset any other credentials used in their networks.
A good rule of thumb is to always keep the firmware updated and monitor the network for unusual activity. Unused remote management, port forwarding, and UPnP features should also be disabled.
Users should also reconsider whether they need cloud backups of their configurations, especially since they’re kept in plain text.
“Cloud backups for these routers raise significant security concerns,” our researchers warn.
“Users might not even realize if the feature is enabled and the routers are sending their data, which then is stored remotely by a third party. This creates a centralized target for attackers interested in exposed passwords and network settings.”
Your email address will not be published. Required fields are markedmarked