Naked Security Naked Security

Mobile spyware maker mSpy leaks millions of records – AGAIN

The irony: Parents put it on kids' phones to protect them, but this breach exposed sensitive data including Whatsapp and Facebook messages.

It’s one thing to slip spyware onto somebody’s phone so you can surreptitiously intercept text messages, call logs, emails, location tracking, calendar information and record conversations – that kind of privacy-spurning stuff.
It’s another thing entirely to be the company that makes and markets the software… and – the coup de GAH! – to suffer a breach that exposes not only the private data of the buggers, but that of the buggees… Twice. In three years.
Yes, we’re talking about mSpy. The “ultimate tracking software” runs on mobile phones and tablets, including iPhones and Androids. The company claims that it helps more than a million paying customers spy on the mobile devices of their kids and partners.
(Is it illegal? Well, mumble mumble, totally legal if you tell the target… which of course you’ll do, right… well, anyway, it’s your problem.)
The most recent breach, first reported by security journalist Brian Krebs on Tuesday, involves what he says is millions of sensitive records published online, “including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.”
The open database was discovered by security researcher Nitish Shah.
It’s since been taken offline, but while it was flapping open, anyone could query what Krebs said were “up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software,” all accessible without requiring user authentication.
That includes usernames, passwords and the private encryption keys of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. Shah said that with the private key, anyone could track and view details of a mobile device running the software.
But wait, there’s more, Krebs reports:

In addition, the database included the Apple iCloud username and authentication token of mobile devices running mSpy, and what appear to be references to iCloud backup files. Anyone who stumbled upon this database also would have been able to browse the WhatsApp and Facebook messages uploaded from mobile devices equipped with mSpy.

That means that someone could have spied on an indeterminate number of kids, besides others under mSpy surveillance, given that some parents install mSpy in order to keep track of their children.
One of the testimonials from mSpy’s site:

Why did I decide to use mSpy? Simple, I am not gonna sit and wait for something to happen. I read about Amanda Todd and other kids. Seriously, my son’s safety costs way more than $30.

Unfortunately, when you collect this type of private information, you get a situation that’s the opposite of keeping kids safe. You instead entrust a company with your child’s details, stored as they are in a database that’s a plum target for scumbags such as trolls, stalkers or child predators. The last thing in the world that any parent would want is for such people to have access to their children’s social media messages or account details, let alone be able to track their whereabouts and eavesdrop on their conversations. But that, unfortunately, is the risk you run when you install spyware: you run the risk that anybody in the wide web can spy on your lover or child.


Shah said he was ignored when he tried to report the breach to mSpy. Krebs had better luck: after he contacted the company on 30 August, he got this reply from mSpy’s chief security officer, who identified himself only as “Andrew”:

We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.

Krebs notes that some of those “points of access” are his and Shah’s. They were both able to see their own activity on the site in real-time via the exposed database.
The first time that someone tore a hole in mSpy and published its database on the dark web was in 2015.
At the time, for more than a week, mSpy denied the breach, in spite of customers confirming that their information was involved. It finally acknowledged to the BBC that yes, the breach had occurred.
It blamed blackmailers and said it was doubling up on security. Yet Krebs reports that more than two weeks after news of that first breach broke, the company still hadn’t disabled links to “countless” screenshots on its servers that were lifted from mobile devices running mSpy.
Would you really trust this company enough to put its software on your loved ones’ phones? No, neither would we.
To protect against someone doing it to you, make sure to secure your phone with a passcode that you don’t share with anyone: it can help to prevent spyware like this from sneaking onto your phone. Read our 10 tips for securing your smartphone for more advice on protecting your mobile data.