Spyware app reportedly leaks millions of its own customers' sensitive records online

mSpy is the creator of a mobile monitoring software, primarily focused toward parents as a way of keeping track of their children's activities on their phones. The software has attracted negative attention since its launch in 2010, especially with regards to the ethics involved, as the premise of the app is highly controversial. In 2015, the company suffered a data breach which led to customer data being posted on the dark web.

Now, more than three years later, the company is involved in another massive controversy, as per a report by Brian Krebs from KrebsOnSecurity. According to the cybersecurity expert, mSpy leaked sensitive information - including usernames and passwords - of more than a million of its paying customers and devices targeted by the spy software.

All private information could reportedly be observed on a database on the open web that required no authentication whatsoever to access. The amount of sensitive user data that was on display before the database was taken offline yesterday is not something that will be taken lightly by the app's customers. Usernames, passwords, and encryption keys of users who purchased an mSpy license any time over the last six months, or even simply logged in to the company's website was available. Quite importantly, the aforementioned key would have enabled anyone to track the mobile device running the software.

That's not all, however. Customer names, email addresses, transaction details of all licenses purchased, user logs, and more were leaked as well. The records exposed were not limited to only user data relevant to mSpy. The database also included browser information, Apple iCloud username and authentication token, and WhatsApp and Facebook messages of users who had the mSpy mobile app installed. Furthermore, user activity was viewable in live time as well.

Security researcher Nitish Shah, who initially became aware of this incident, says that the spyware company's support personnel were unhelpful when he reported his findings to them, and that they blocked him when a demand to allow contact with the CTO or Head of Security was made. On the other hand, KrebsOnSecurity contacted mSpy last week as well, and received a reply via mail yesterday. The email was sent by the company's Chief Security Officer and read as follows:

"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."

The firm did not state the amount and scope of data leaked, rather terming it as a "possible breach" of "only a few points of access and activity". Although, as stated above, the database has since been taken offline, a massive data leak such as this certainly puts the company's security policy in question. Furthermore, given that many of mSpy's paying customers are parents who use the app to spy on the activities of their children, it makes the breach of their own privacy somewhat ironic.

Source: KrebsOnSecurity