mSpy, a company that sells software designed to let users spy on their children, partners, or anyone else they want to keep their eye on, left exposed more than two million records “including software purchases and iCloud usernames and authentication tokens of devices running mSky,” TechCrunch reported.
Spyware mSpy for 2nd time failed to protect its iPhone and Android clients.
On their server was found open database with millions of users records including passwords, Facebook and WhatsApp messages, iCloud... via @briankrebs & @IamNitishShah https://t.co/t1Ew2nhZOd pic.twitter.com/0I5zzEsnrc
— Lukas Stefanko (@LukasStefanko) 5 September 2018
mSpy markets its software as the “ultimate monitoring software for parental control,” according to CNET. But it’s part of a broad family of spyware apps that have attracted attention from federal prosecutors in the past, such as the 2014 indictment and subsequent guilty plea of Pakistani entrepreneur Hammad Akbar on charges of selling and advertising wiretapping equipment. While mSpy has user agreement disclaimers saying the software cannot be used for illegal purposes, evidence is rampant many users purchase subscriptions for that specific purpose, which is why such apps are sometimes referred to as “stalkerware.”
The leak first emerged via developer Nitish Shah, who security researcher Brian Krebs wrote on his blog notified him about a vulnerability in mSpy’s online database. The unsecured database did not require authentication and “allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software,” Krebs wrote.
The database has since been restricted after Krebs reached out to mSpy managers, but according to screenshots posted on his site, anyone who had discovered the breach could have gained access to call logs, texts, browser histories, iCloud username and authentication tokens, and Whatsapp and Facebook messages of people with the mSpy software running on their phones. Internal mSpy company data that was exposed “included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid,” Krebs added.
That is to say, the spy could have become the spied upon as well.
In an email to Krebs, an mSpy staff member identifying themselves as the company’s chief security officer acknowledged the breach, but said that customer accounts were “securely encrypted” and only a handful of people had access to the data.