mSpy is the creator of a mobile monitoring software, primarily focused toward parents as a way of keeping track of their children's activities on their phones. The software has attracted negative attention since its launch in 2010, especially with regards to the ethics involved, as the premise of the app is highly controversial. In 2015, the company suffered a data breach which led to customer data being posted on the dark web.
Now, more than three years later, the company is involved in another massive controversy, as per a report by Brian Krebs from KrebsOnSecurity. According to the cybersecurity expert, mSpy leaked sensitive information - including usernames and passwords - of more than a million of its paying customers and devices targeted by the spy software.
All private information could reportedly be observed on a database on the open web that required no authentication whatsoever to access. The amount of sensitive user data that was on display before the database was taken offline yesterday is not something that will be taken lightly by the app's customers. Usernames, passwords, and encryption keys of users who purchased an mSpy license any time over the last six months, or even simply logged in to the company's website was available. Quite importantly, the aforementioned key would have enabled anyone to track the mobile device running the software.
That's not all, however. Customer names, email addresses, transaction details of all licenses purchased, user logs, and more were leaked as well. The records exposed were not limited to only user data relevant to mSpy. The database also included browser information, Apple iCloud username and authentication token, and WhatsApp and Facebook messages of users who had the mSpy mobile app installed. Furthermore, user activity was viewable in live time as well.
Security researcher Nitish Shah, who initially became aware of this incident, says that the spyware company's support personnel were unhelpful when he reported his findings to them, and that they blocked him when a demand to allow contact with the CTO or Head of Security was made. On the other hand, KrebsOnSecurity contacted mSpy last week as well, and received a reply via mail yesterday. The email was sent by the company's Chief Security Officer and read as follows:
"We have been working hard to secure our system from any possible leaks, attacks, and private information disclosure. All our customers’ accounts are securely encrypted and the data is being wiped out once in a short period of time. Thanks to you we have prevented this possible breach and from what we could discover the data you are talking about could be some amount of customers’ emails and possibly some other data. However, we could only find that there were only a few points of access and activity with the data."
The firm did not state the amount and scope of data leaked, rather terming it as a "possible breach" of "only a few points of access and activity". Although, as stated above, the database has since been taken offline, a massive data leak such as this certainly puts the company's security policy in question. Furthermore, given that many of mSpy's paying customers are parents who use the app to spy on the activities of their children, it makes the breach of their own privacy somewhat ironic.
Update: mSpy has issued a response to this situation. Clarifying what actually happened, the company noted that although the data on the open web was indeed viewable for several days, it was due to a "technical mistake" by its developers, rather than deliberate leakage. Furthermore, the five million or so records listed were error logs, generated for example when a user incorrectly inputs their password. So the login information available wasn't accurate, per se.
Further information regarding the viewable data has been described as follows:
- From 5 million records (this is where millions from Brian Krebs article come from) of server error logs, there has been login and password information listed for 1241 accounts which is 0.044% of mSpy customer base. The considerable number of the passwords were incorrect, as error logs record failed login sessions.
- There is no way to use encryption keys mentioned in the article without access to the actual database, so they can not be used for any purposes.
- The lifetime of token mentioned in the article is short (about 24 hours) and thus was invalid by the time the problem was discovered.
- From the analysis of access to Kibana we see that there have been only 2 sessions with data deep research, recorded for India and US. We assume that these were Nitish Shah and Brian Krebs.
To alleviate the situation, mSpy has changed the passwords of all listed accounts and is now training its support team on how to deal with a similar occurrence in the future. Moreover, the encryption keys are also planned to be changed soon.
The company apologized to its users, admitting that this issue is entirely its own fault, and that additional controlling procedures to avoid such situations should be created. Importantly, however, it insists that all user data is still secure.