On September 12th 2017 suspicious activity was identified that indicated a security incident affecting CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191.
After liaison with relevant law enforcement authorities we alerted our customers in a Release Announcement, blog post and via in-app notifications. Please read our blog for the latest updates.
Frequently asked questions about this issue and the steps taken to rectify it follow below.
Who was affected?
This issue was isolated to two versions: Cleaner v5.33.6162 for 32-bit Windows users and CCleaner Cloud v1.07.3191 (if you are using CCleaner Cloud, the 32-bit version runs on 64-bit machines).
All builds on these version numbers were affected: Free, Professional, Slim, Portable, Business and Technician versions of CCleaner.
Were any other Piriform or Avast products compromised?
No other Piriform products were compromised.
No Avast or AVG products were compromised.
To confirm, CCleaner for Mac, CCleaner Android, Defraggler, Speccy and Recuva were not compromised.
What type of data was compromised?
As per our September 18th blog post, we were aware at that time that the compromise could cause the transmission of non-sensitive data (computer name, IP address, list of installed software, list of active software, list of network adapters). The server this data was transmitted to was shut down to eliminate risk.
Was the attack on consumers or businesses?
Initially, it was unclear whether the compromise was directed at consumers or businesses, or both. As we have gained new insights through our investigation, we can now say that the purpose of the attack was not to attack consumers and their data, but to gain access to corporate networks of select large enterprises. Avast have been reaching out individually to the companies known to be impacted and are providing them with additional technical information to assist them. If you are a business, please visit our business FAQs or the Avast blog for more information. Consumers are safe using CCleaner and we recommend you upgrade to the latest CCleaner version.
What do I need to do to make sure I am safe?
All users with Cleaner v5.33.6162 for 32-bit Windows should update to the latest version of Cleaner.
CCleaner Cloud v1.07.3191 users, you do not need to do anything. If you were using CCleaner Cloud version v1.07.3191, you have been automatically updated.
Cleaner version 5.33.6162 users, you may have been automatically upgraded to Cleaner version 5.33.6163 which is not affected, or you will have been asked to upgrade when you opened CCleaner.
As a precaution, we encourage all users to run the latest version of CCleaner. You can download the latest version of CCleaner here.
Business users, please visit our business FAQs or the Avast blog.
Where can I download the latest version of CCleaner?
You can download the latest version of CCleaner here.
Why is there no mention of the fix in the version 5.34 release announcement?
Version 5.34 was released as scheduled on September 12th and it was only shortly after this release that we were made aware of the compromise in the previous version 5.33.6162. Version 5.34 was not compromised.
I have a 64-bit machine so why is CCleaner still being flagged by antivirus?
CCleaner v5.33.6162 users, please note that the 32-bit and 64-bit versions of CCleaner are packaged as one installer. Most of the antiviruses can recognize the 32-bit version inside the installer and flag the whole installer as malware.
To resolve this, we recommend you download the latest version of CCleaner.
Is CCleaner v5.34 compromised?
No. But, due to the compromise in v5.33, we needed to update the program with a new digital signature.
CCleaner version 5.35 has been built in our new infrastructure and has been released with a new digital signature. You can download CCleaner v5.35 here.
I was asked to download CCleaner v5.34, but you have since released a newer version (5.35)? Is CCleaner v5.34 safe?
Yes, but because it's using a revoked certificate, it will be flagged by many antiviruses as suspicious or a virus.
Here’s an explanation of why that will happen:
The software we develop is verified with a security certificate. Each certificate usually lasts around two years.
CCleaner version 5.34 was released as per our usual release schedule before we became aware of the compromise. When we were made aware of the security compromise affecting version 5.33.6162, we verified that version 5.34 was not compromised and acted to move users to this version. Although CCleaner version 5.34 was not compromised, it shared the same digital signature as version 5.33.6162 which has now been revoked, meaning that v5.34 will be flagged by many antiviruses.
CCleaner version 5.35 has been built in our new infrastructure and has been released with a new digital signature. You can download CCleaner v5.35 here.
Although I have updated, my antivirus or malware protection system is telling me that CCleaner contains a Trojan. Why is this and what do I need to do?
You should update to our latest version, which is CCleaner v5.35. This version was built in a new infrastructure and should not be flagged by antivirus. You can check this by uploading the file to www.virustotal.com.
Was your certificate revoked?
Yes. We worked together with Symantec as a certification authority to issue a new certificate and revoke the old one. Our certificate was revoked on September 19th and CCleaner v5.35 was released with the new certificate on September 20th.
Why was your certificate revoked?
To make sure that the old certificate can't be used any further, because a compromised version was released under that certificate.
What might I notice as a result of the certificate change?
There is no change to the product; version 5.35 has the same set of features as version 5.34. If you were using v.5.34, you might have noticed that although this version was not compromised, it may have been flagged by your computer or antivirus as being potentially unsafe. Version 5.35 was released with a new certificate to resolve this.
Do I need to do anything to change the certificate?
No, we just recommend that you install new version (5.35) which is signed by the new certificate. You can download CCleaner v5.35 here.
Do I have to reinstall Windows?
No. This is not necessary.
How did the software get in the build?
We currently are investigating with law enforcement and don’t have any further information to share at this moment.
Do you have a suspicion who was behind this?
We are not able to comment at this point and will need to have law enforcement report on their investigation.
Do you have file hashes for us to verify we have the official CCleaner v5.35 build?
Yes, here are the MD5 and SHA256 file hashes for each of the CCleaner v5.35 builds:
CCleaner.exe - 32-bit CCleaner executable
MD5: 10f16bae4e236292a3bfa47b6f100518
SHA256: 478262a5d9d72bf339bd9b17261fea42dfdf0e36e4f233bbf7d6c6e9de0b0dc8
CCleaner64.exe - 64-bit CCleaner executable
MD5: e6f5ad3fd6d0f64ec88357fc481a71ab
SHA256: 06b27f68366f8d25a599c3ad8b1d23f18158f4edddee3174a22d3698089a8bc3
ccsetup535_slim.exe - Slim CCleaner Installer
MD5: 574c5c8a4d60e92d2929e20bff7ea7aa
SHA256: 3e66a578093c244be38a3228d000a8a80b5d16e3f8156b027244c87eb516d235
ccsetup.zip - Portable CCleaner
MD5: 004c785bdb1c01e89db9fa7d663ac27d
SHA256: e855694fca0919308491b8fb097b78aa9b1456acaa36f00bcd108a2b2656db51
ccsetup535pro.exe - CCleaner Professional Trial Installer
MD5: a1d648bf9328c7fffaf3e0a40de85358
SHA256: 61e1b4bf028b09ee20787cdf23cab7e3c511132f7df45da11bd9f2568cad7739
ccsetup535_pro.exe - CCleaner Professional Installer
MD5: a40230fe341c43bb5e5f7dbc2d1712cf
SHA256: a60cfb4226305736fe9206256ec90482cdc149fe32a4a8b45993356ccc6e4a9e
ccsetup535_be.exe - CCleaner Business Edition Installer
MD5: a4764ceac2ea72ce6045367c0e59b6eb
SHA256: 40e18acdda6b3d58665f58231c700a1f15e1dbbcd8f7f56b5e8f94cca115652f
ccsetup535_be.msi - CCleaner Business Edition MSI Installer
MD5: f16911c5aaf026e189705f06d9da41ee
SHA256: 7f6c24f459725110d714fa5324cfd7a57afb24245c9cc358b7f2b724a64763d6
ccsetup535_be_trial.exe - CCleaner Business Edition Trial Installer
MD5: f545db13ed4833821266f1a740d83bfe
SHA256: 04ff4c729fc93a97688602f83fa4603cb2d0913bdc7538fa7e69b098f4307402
ccsetup535_te.msi - CCleaner Technician Edition Installer
MD5: 361eed61fa10d30937018fe9ae3e90af
SHA256: 267047a7ab8d45990b72b6268dd6bb645582cc4d1b0fadd7c1a676f22f519450
Does this compromise affect business users?
All CCleaner users on 32-bit systems and all CCleaner Cloud users were affected. All CCleaner Cloud users have been automatically updated to the latest version and all CCleaner v5.33.6162 users should update to the latest version of CCleaner.
Business users, please visit our business FAQs or the Avast blog.
With millions of machines infected, are you taking this seriously enough?
Understanding how this illegal code made its way into the product and how this kind of attack can be prevented in the future is our top priority. We are working closely with law enforcement and Avast Threat Labs in their investigations.