I'm a first year Life Sci student who looked into how MacTrack's auto enrollment actually works under the hood after seeing this post. What I found was serious enough that I reached out to the developers privately. They added a disclaimer acknowledging the risks, and then removed it after they realized how badly it hurt sales, all while ghosting me. As of right now, MacTrack still hasn't removed this feature.
Because they decided to prioritize their bottom line over your privacy, I'm sharing everything I found:
- Your username and password go to MacTrack's servers
- They store a master key that gives full access to your Mosaic account indefinitely
- Your Mosaic portal has your SIN number, financial aid, transcripts, and personal info
- Changing your password does NOT revoke their access
If you signed up, contact McMaster's IT team IMMEDIATELY and tell them to force expire your session tokens.
You can find the full breakdown here, where I discuss everything in more detail along with proof that MacTrack's team deliberately chose to hide this from users .
Edit: UTS responded and confirmed the university will be taking appropriate action, and outlined the proper steps to take if you've been affected. Here's what they said:
- Go to https://mysignins.microsoft.com/
- Click "Change Password" and please proceed to change your password.
- Once you've changed your password, on the Overview tab, click "Sign out everywhere".
- Click the "Security info" and please review the multi-factor authentications methods configured on your account in the event the attackers changed your multi-factor authentication methods.