- A popular cell phone tracker, mSpy, has suffered a massive data breach exposing sensitive information of millions of users.
- The leaked information includes customer credentials, telephone numbers, different services accessed, etc.
- mSpy clarified that it has addressed the breach quickly and only a very small percentage of user data was actually exposed.
mSpy is a popular software among parents used to spy on their kids’ mobile phone activities. Recently, the service has found itself in the midst of a massive data leak that apparently contained many sensitive records of its users such as call logs, passwords, text messages, contacts, and location data. The issue came to light when security researcher Nitish Shah spotted an open database on the web containing up to date mSpy records and notified KrebsOnSecurity‘s Brian Krebs about the same.
The leaked database, which has been taken offline in the past 12 hours, contained details of the private encryption key of every mSpy customer who had purchased a license in the past 6 months. According to Shah, access to the private encryption key means access to all the details of the mobile device on which mSpy is installed. This includes access to Apple iCloud username and authentication tokens, iCloud backups, WhatsApp and Facebook messages, details of customers who have purchased the licenses, and a whole lot more. In short, it’s a massive data breach.
Spyware mSpy for 2nd time failed to protect its iPhone and Android clients.
On their server was found open database with millions of users records including passwords, Facebook and WhatsApp messages, iCloud… via @briankrebs & @IamNitishShah https://t.co/t1Ew2nhZOd pic.twitter.com/0I5zzEsnrc
— Lukas Stefanko (@LukasStefanko) September 5, 2018
Perhaps, the irony of the matter is that Shah’s support request was apparently turned down by mSpy when he tried to alert them of the same. However, the company’s chief security officer did reply to KrebsOnSecurity saying that the data is securely encrypted and there have not been many points of access to sensitive information. Krebs said that he could, in fact, find his own information in the leaked database in real-time.
Not surprisingly though, mSpy assures that all is safe and there’s no need to panic. The company authored a blog post saying exactly what went wrong and the quantum of sensitive data that was affected. The reason for Shah’s support ticket not being honored seems to be due to an error by a support trainee. Also, according to mSpy, the database is mostly error logs and only a very tiny fraction (0.044%) of user credentials were actually available and that too, the information was incorrect as these are basically just error logs. mSpy’s take on the matter and the steps they claim to have taken to remedy the problem can be viewed here.
Krebs says that this is the second time in 3 years that mSpy has suffered a data breach. The last time such an incident occurred was in 2015 when leaked customer data was posted on the Dark Web. Smartphone data breaches are not uncommon, though and a recent Department of Homeland Security study revealed that millions of smartphones on major carriers in the US are in fact highly vulnerable.
So, is it a good idea to trust companies to spy on your kids even if it’s for a good cause? We’ll leave that up to you but do remember that no enterprise is 100% immune to data breaches and depending on the information shared with the company, the consequences can be anywhere between mild to disastrous.