Data Breach Affects iPhone Spyware-Maker, Millions of Users Affected

iPhone spyware-maker mSpy has reportedly suffered a data breach, which has impacted millions of its users. It has been reported that sensitive personal information belonging to the users has thus been “accidentally” exposed to the web. The personal data include passwords, text messages, call logs, contact info, notes etc.

The massive data breach was discovered and revealed by Brian Krebs through his website KrebsonSecurity. Krebs writes, “mSpy, the makers of a software-as-a-service product that claims to help more than a million paying customers spy on the mobile devices of their kids and partners, has leaked millions of sensitive records online, including passwords, call logs, text messages, contacts, notes and location data secretly collected from phones running the stealthy spyware.”

Brian Krebs further writers, in his post dated September 4, 2018, “Less than a week ago, security researcher Nitish Shah directed KrebsOnSecurity to an open database on the Web that allowed anyone to query up-to-the-minute mSpy records for both customer transactions at mSpy’s site and for mobile phone data collected by mSpy’s software. The database required no authentication.”

mSpy, an internationally popular mobile software-maker, is a global leader in the market of mobile monitoring. The mSpy website says, “mSpy is a must-have tool for parents who want to stay on the top of their kids` smartphone activities, preventing online dangers and unwanted exposure.”

The company’s official website further says- “mSpy is a reputable player and a global leader in the market of mobile monitoring. Our single-minded team of experts develops high-quality products which meet the needs of a large audience, especially parents. Being present in more than 100 countries, it is well recognized for its contribution to children’s online protection, which is the priority of the UNICEF strategy.”

The database was soon taken offline, but it’s speculated that lots of data could possibly have been stolen. The KrebsonSecurity post says, “Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased an mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.”

The U.S-based website iDrop News, which zooms in on ” the latest information on Apple products and trends in technology”, notes, “It’s worth noting that, here in the United States, selling spyware software like mSpy is considered a criminal offense that’s regulated and punishable by law. It’s not currently known from which country mSpy is offering its platform for sale, however, as the company is said to have enacted extreme measures to shield even its own activities.”

KrebsonSecurity explains that any person who’d have stumbled upon the exposed database would also have been able to browse the Facebook and Whatsapp messages that were uploaded from the mobile devices that were equipped with mSpy. The database, Krebs points out, also “…included the Apple iCloud username and authentication token of mobile devices running mSpy, and what appear to be references to iCloud backup files.”

Krebs further says- “Other records exposed included the transaction details of all mSpy licenses purchased over the last six months, including customer name, email address, mailing address and amount paid. Also in the data set were mSpy user logs — including the browser and Internet address information of people visiting the mSpy Web site.”

Nitish Shah tried alerting mSpy of his findings, but he was reportedly ignored and his chat with them blocked. KrebsonSecurity alerted mSpy on August 30 and on September 4, Krebs received an email from mSpy’s Chief Security Officer, who had given only his first name, “Andrew”.

Krebs shares the content of the email- “We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.”

Krebs adds, in his post- “Some of those “points of access” were mine. In fact, because mSpy’s Web site access logs were leaked I could view evidence of my own activity on their site in real-time via the exposed database, as could Shah of his own poking around.”

mSpy had suffered a data breach earlier, in 2015 and it was KrebsonSecurity that broke the news then too, reporting that mSpy had been breached and users’ data was available on the Dark Web.