A mobile app that can help people spy on Android and iPhone users, whether they’re spouses or children, has leaked millions of sensitive records, including passwords, call logs, text messages, contacts, notes, and location data. What’s more disturbing is that mSpy, the app in question, just suffered the second major security breach in three years. So you’re probably better off not using it going forward.
Security researcher Nitish Shah first discovered the breach. But his alerts were ignored by the company until KrebsOnSecurity contacted mSpy:
Before it was taken offline sometime in the past 12 hours, the database contained millions of records, including the username, password and private encryption key of each mSpy customer who logged in to the mSpy site or purchased a mSpy license over the past six months. The private key would allow anyone to track and view details of a mobile device running the software, Shah said.
The exposed database also contained other sensitive data, including iCloud username and authentication token of mobile devices using mSPy and iCloud backup files. Also, transaction details of mSpy licenses purchase in the last six months were exposed, including the name of the buyer, email address, mailing address, and amount paid.
mSpy’s chief security officer contacted KrebsOnSecurity to assure the blog that steps were taken to prevent the leak, and imply that the data wasn’t misused:
We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data.
As the report points out, it’s unclear who’s behind mSpy, but the company does say it has over one million paying customers, and many of them will not be happy to hear about these security issues. The full report also details the previous mSpy security breach, and it’s worth a read, during which hackers posted on the Dark Web the customer data they had stolen.