Mobile spyware customer data leaked online in apparent mSpy hack
Naked Security Naked Security

Mobile spyware customer data leaked online in apparent mSpy hack

The biggest victims of the mSpy 'hack' are likely to be those who were unaware their sensitive data was being logged in the first place.

Smartphone data courtesy of ShutterstockmSpy, a spyware company that sells “the most popular and user-friendly application for watching over your kids, preventing theft, and supervising your employees’ performance,” appears to have been hacked recently.

Though still unconfirmed, the apparent hack has led to mSpy’s database appearing on the dark web, according to an anonymous tip received by Brian Krebs.

Pointed towards the Tor-based web page hosting the data, Krebs discovered “several hundred gigabytes worth of data taken from mobile devices running mSpy’s products, including some four million events logged by the software.”

Krebs says the exposed data includes a large number of emails and text messages, as well as photos, payment and tracking data for potentially more than 400,000 victims.

A message left by the apparent hackers of the database says:

Full database from http://mspy.com
> 400 000 users
apple id + password, tracking data, payment details, photo and more security info
enjoy

According to the International Business Times, an update to the dark web page on Friday indicated that huge cache of data was currently unavailable for download, but a single user’s record remained including their name, home address, email address and other personal data.

The mSpy app – available on Android, iOS, Windows and Mac computers – lets someone remotely track another person through their phone or tablet, a service that appears to be quite legal as long as it is used only to monitor consenting children or employees.

However, given that it could also be used for spying on partners without their knowledge, especially now that the company sells devices with mSpy pre-loaded, it seems likely that not everyone who has the app installed is aware that it is running on their device.

With the ability to run unobtrusively, collecting call log history, GPS location data, web history, emails, text messages, images, video, Skype and WhatsApp messages, as well as keystrokes and desktop screenshots, the amount of sensitive and private data potentially at risk is huge.

The firm – which has around two million users paying a subscription fee of anything from $8.33 to $799 for its services – will probably not attract too much sympathy for itself, especially from those who have discovered the app secretly running on their devices.

The same cannot be said for the victims of this apparent breach though.

As Krebs points out, many of those being monitored by mSpy are kids with concerned parents:

A public relations pitch from mSpy to KrebsOnSecurity in March 2015 stated that approximately 40 percent of the company's users are parents interested in keeping tabs on their kids. Assuming that is a true statement, it's ironic that so many parents have now unwittingly exposed their kids to predators, bullies and other ne'er-do-wells thanks to this breach.

Speaking to the IBTimes, mSpy staff denied a breach had taken place because – they say – existing security measures meant it was “not actually possible”.

The IBTimes reports that customers have apparently been told there is no evidence of a leak and no need to worry.

mSpy representatives even went as far as saying that they believed the story may have been fabricated by a competitor looking to discredit the company with “black marketing”, adding that Krebs’ report was being investigated by lawyers and other “authorised” parties.

Securing your phone with a passcode that you don’t share with anyone can help to prevent such spyware finding its way onto your phone. Read our 10 tips for securing your smartphone for more advice on protecting your mobile data.

Image of mobile phone data courtesy of Shutterstock.