Mobile Spy Software Maker MSpy Hacked, Customer Data Leaked

← Back to Stories (view on slashdot.org)

Mobile Spy Software Maker MSpy Hacked, Customer Data Leaked

Posted by samzenpus on Thursday May 14, 2015 @01:56PM from the have-some-information dept.

pdclarry writes: mSpy sells a software-as-a-service package that claims to allow you to spy on iPhones. It is used by ~2 million people to spy on their children, partners, Exes, etc. The information gleaned is stored on mSpy's servers. Brian Krebs reports that mSpy has been hacked and their entire database of several hundred GB of their customer's data has been posted on the Dark Web. The trove includes Apple IDs and passwords, as well as the complete contents of phones that have mSpy installed. So much for keeping your children safe.

79 comments

Min score:

Reason:

Sort:

And the NSA is grabbing it as we speak ... by BarbaraHudson · 2015-05-14 14:02 · Score: 2

I guess some enterprising lawyer will also use it to troll for clients whose spouses have spied on them.

--
"Transparent" is a shit show that trades on every stereotype going. A man in drag is NOT a transsexual.
1. Re:And the NSA is grabbing it as we speak ... by Anonymous Coward · 2015-05-14 14:06 · Score: 3, Informative
  
  You joking? The NSA already had this data.
2. Re:And the NSA is grabbing it as we speak ... by Anonymous Coward · 2015-05-14 14:09 · Score: 0
  
  1. Download hacked content from darkweb
  2. Find clients who were spied upon
  3. Get used by mSpy for hacking their website/using their copyrighted materials (aka.. License quote "You will not use such proprietary content, information, or materials except for permitted use of the Services.")
  4. mSpy profits
  Hmm, nice biz plan :)
3. Re:And the NSA is grabbing it as we speak ... by Anonymous Coward · 2015-05-14 14:34 · Score: 0
  
  I guess some enterprising lawyer will also use it to LEGALLY "blackmailing" people
  FTFY
4. Re:And the NSA is grabbing it as we speak ... by Narcocide · 2015-05-14 14:37 · Score: 2
  
  I like this one better.
  1) allegedly hack into mSpy to steal data.
  * didn't need to do this part, because you already work for the NSA and have all the data, but it was fun anyway
  2) post stolen data to the darkweb (nobody there will ask if you simply downloaded it of your work intranet, they'll assume you just hacked mSpy)
  3) profit (and laugh while mSpy implodes under a dogpile of negative publicity, all cleanly deflected from your employer)
5. Re:And the NSA is grabbing it as we speak ... by johnsnails · 2015-05-14 14:47 · Score: 5, Funny
  
  Oblig dilbert...
6. Re:And the NSA is grabbing it as we speak ... by l0n3s0m3phr34k · 2015-05-14 20:17 · Score: 2
  
  "Parallel construction", just using an "illegal" channel to get the data to someplace where they can "legally" grab it.
7. Re:And the NSA is grabbing it as we speak ... by justthinkit · 2015-05-15 01:29 · Score: 2
  
  Or this one:
  (x) make up most of the story.
  
  The math on what was taken doesn't add up. "Several hundred gigabytes" ~= 200GB. Users ~= 2M. Dividing and we find 100,000 bytes per person. What photo do you know that a modern cell phone camera can take that only uses 100,000 bytes? What other data is there? x & y coordinates of finger swipes?
  
  Yes, they could be transmitting things like web sites visited, but is that really a big deal?
  
  Or, this was a microscopic "break in" of a handful of accounts.
  
  --
  I come here for the love
LOL by Anonymous Coward · 2015-05-14 14:03 · Score: 0

Look on the bright side: this is in fact the best way to educate people on what software security means.
Best way to keep them safe is to NOT INSTALL SPYWARE.
Whoever got burned had to have seen it coming. It they didn't, they will next time.
1. Re:LOL by Narcocide · 2015-05-14 14:42 · Score: 3, Insightful
  
  Its cute how you assume most people can learn from their mistakes by tracing decision to result to cause to unintended effect.
2. Re:LOL by Anonymous Coward · 2015-05-14 15:50 · Score: 0
  
  I needed a good laugh.
  Yeah, gee, if you install spyware on your phone your data might not be private.
  In other news, if you lots of baked beans you might start farting, and if you keep driving if your gauge says "E" you car might stop running. ... more breaking news at 10.
3. Re:LOL by Anonymous Coward · 2015-05-14 15:54 · Score: 0
  
  You've got a good point there.
Everything has a bright side by fustakrakich · 2015-05-14 14:03 · Score: 5, Funny

All your stuff is backed up... somewhere

--
“He’s not deformed, he’s just drunk!”
1. Re:Everything has a bright side by Anonymous Coward · 2015-05-14 14:11 · Score: 1
  
  ...all your datum are belong to us...
2. Re:Everything has a bright side by Noah+Haders · 2015-05-14 16:10 · Score: 3, Funny
  
  I liked how when there was that kerfluffle over hillary's missing emails, a congressman wrote the NSA a letter directing them to retrieve the data.
3. Re:Everything has a bright side by Anonymous Coward · 2015-05-14 20:33 · Score: 0
  
  ...all your datum are belong to us...
  Well constructed!
4. Re:Everything has a bright side by silentcoder · 2015-05-14 20:59 · Score: 3, Funny
  
  Linus used to say "Don't make backups, just stick your stuff on an FTP server and let the world copy it"... I don't think he meant that it was supposed to happen without your consent or knowledge however.
  
  --
  Unicode killed the ASCII-art *
5. Re: Everything has a bright side by Anonymous Coward · 2015-05-15 07:32 · Score: 0
  
  except for a small thermal exhaust port. All the zigs!
Now watch the lawsuits from people spied on by Anonymous Coward · 2015-05-14 14:29 · Score: 0

So now, anyone who suspects mSpy was used to spy on them will search that data, find their *own* data, and sue mSpy. mSpy will give up the name of the purchaser to prove they actually aren't party to a criminal surveillance / hacking case.
Don't make illegal items, except for us... by Anonymous Coward · 2015-05-14 14:34 · Score: 1

The problem is this statement:

Akbar was charged with selling and advertising wiretapping equipment.
“Advertising and selling spyware technology is a criminal offense, and such conduct will be aggressively pursued by this office and our law enforcement partners,” U.S. Attorney Dana Boente said in a press release tied to Akbar’s indictment.
So it is illegal to sell wiretapping equipment.
Why are there so many companies selling and advertising such equipment to government agencies without being charged?
1. Re:Don't make illegal items, except for us... by Anonymous Coward · 2015-05-14 14:50 · Score: 0
  
  > Why are there so many companies selling and advertising such equipment to government agencies without being charged?
  Cause they got the drones.
2. Re:Don't make illegal items, except for us... by Anonymous Coward · 2015-05-14 14:53 · Score: 0
  
  Why are there so many companies selling and advertising such equipment to government agencies without being charged?
  Rhetorical, right?
3. Re:Don't make illegal items, except for us... by Narcocide · 2015-05-14 15:16 · Score: 5, Insightful
  
  Its a real simple marketing trick actually. Don't call it "spyware" or "wiretapping", call it "security" and "monitoring" and make sure to mention "for the children" and you're all good.
4. Re:Don't make illegal items, except for us... by Anonymous Coward · 2015-05-14 15:20 · Score: 0
  
  Of course. We should still point out the elephants when we see them in the room, not just accept that everything is normal just because some people don't like talking about them.
5. Re:Don't make illegal items, except for us... by sysrammer · 2015-05-14 16:44 · Score: 1
  
  Pretty much.
  
  --
  His ignorance covered the whole earth like a blanket, and there was hardly a hole in it anywhere. - Mark Twain
6. Re:Don't make illegal items, except for us... by Z00L00K · 2015-05-14 17:23 · Score: 4, Funny
  
  Akbar - It's a trap!
  
  --
  If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
7. Re:Don't make illegal items, except for us... by gl4ss · 2015-05-14 20:47 · Score: 1
  
  they made the government official sign a NDA.
  and gave them some money back. that they can't disclose to their voters. because of the nda.
  
  --
  world was created 5 seconds before this post as it is.
8. Re:Don't make illegal items, except for us... by Anonymous Coward · 2015-05-14 23:52 · Score: 0
  
  I found I could sell a lot more thieves' tools kits when I marketed them as screwdrivers, files, and saws "for the handy".
LOL by koan · 2015-05-14 14:36 · Score: 2

I needed a good laugh.

--
"If any question why we died, Tell them because our fathers lied."
Wow that's no longer glass half full by Anonymous Coward · 2015-05-14 14:43 · Score: 0

Overflowing
Encryption anyone? by Nyder · 2015-05-14 14:52 · Score: 1

I'm pretty sure this is why you encrypt your database. But you know, whatever, cost money, might hurt the bottom line.

--
Be seeing you...
1. Re:Encryption anyone? by TWX · 2015-05-14 15:05 · Score: 2
  
  There still needs to be a means to use the database. There also needs to be a means for automated software (ie, that which is installed as a client on the compromised phone) to authenticate into the database. There's going to be a weakness somewhere even for an encrypted database otherwise the database is useless. For all we know it was encrypted and it was compromised through a phone that had itself been compromised with the company's software.
  
  If that's how it happened, or if analysis of a compromised device gave the people what they needed to break in, then I really can't be sympathetic.
  
  --
  Do not look into laser with remaining eye.
2. Re:Encryption anyone? by Em+Adespoton · 2015-05-14 15:27 · Score: 2
  
  If a system like this was properly designed, the data would be encrypted against a key held by the customer, and the company would never have access to decrypted data. As it is, it appears that every person using the service was in effect providing the company with all the data from the phone in question. What the company did with it after this point is irrelevant, as the information is already compromised.
  Based on the activities of the original owners, I wouldn't be surprised if someone got fired from the company, but didn't get their credentials revoked in time -- or they had already been making a backup of all the data. If one of the founders now owns a competitive product, this could be purely a method of taking out the competition.
  Or, it could be just a case of bad/lapsed security.
Story useless without... by Anonymous Coward · 2015-05-14 14:52 · Score: 1

Link?
Probably true by Anonymous Coward · 2015-05-14 14:52 · Score: 2, Insightful

Finding an old article on mSpy:
"The mSpy technology aggregates the surveillance activity in a cloud-based, password-protected control panel, from which the user can send remote commands, including blocking access to certain programs, websites and apps, and can also restrict incoming calls or shut down and lock the phone. Now that themSpy monitoring software can be pre-installed on HTC One, Nexus 5, Samsung Galaxy S4 and iPhone 5s smartphones, the user no longer has to worry about smartphone compatibility with the software or obtaining physical access to the target phone. Smartphones with pre-installed mSpy can be purchased via the company’s website. The mSpy software-plus-smartphone bundle includes a one-year subscription to the premium mSpy software, which is priced at $200. The technology can capture a range of mobile data, including voice calls, emails, SMS, keystrokes, use of Viber, WhatsApp, Skype, chats, location and more. In order to avoid legal repercussions relating to invasion of privacy, MTechnology stipulates in its conditions that mSpy services must not be used for unauthorized surveillance and that users are required to notify people who are being monitored."
Well things like Viber WhatsApp Skype etc. certainly we know they are NSA tapped. Skype was mentioned in the PRISM document, the later ones will be later additions to the PRISM program, Viber has long been suspect due to its founders connections to the Israel spy agencies.
Location is intercepted on bulk by a lot of programs for advertising, and that location data is available to advertisers, so its available to NSA.
Voice calls? We know they intercept 100% of calls in several contries as of 2012, that capability will have increased. Certainly in the US, or UK, its simply a matter of tapping in a number and the calls are automatically recorded. General collect it all would have intercepted it all because there was nothing to stop him.
ermails? Intercepted.
So yeh, even without having access to mSpy's database (likely hacked or since they are UK based, GCHQ would have slapped a secret demand for data on them, the kind that made Vodafone and BT assist in spying on Brits).
1. Re:Probably true by Noah+Haders · 2015-05-14 16:07 · Score: 4, Informative
  
  A clarification, you can't install mspy unless you jailbreak your iPhone. I wouldn't be surprised if the Chinese jail breaking packages come with mspy pre-configured... Also, no jailbreak exists for iOS 8.3, the current version.
2. Re:Probably true by Anonymous Coward · 2015-05-14 17:13 · Score: 0
  
  Nice FUD. The only problem with your claim is that other prominent jailbreakers have already stated such things don't exist. So unless you're going to construct some grand conspiracy with some actual evidence to the contrary, fuck off with your FUD.
3. Re:Probably true by stooo · 2015-05-14 19:53 · Score: 1
  
  >> prominent jailbreakers have already stated such things don't exist
  So they don't exist. Fact.
  
  --
  aaaaaaa
4. Re:Probably true by drinkypoo · 2015-05-14 22:47 · Score: 1
  
  The only problem with your claim is that other prominent jailbreakers have already stated such things don't exist.
  Even if you're inclined to take people you don't know at their word, and I'm not, are you checksumming or otherwise verifying those downloads to make sure that they're intact? and even if you are, is anyone else?
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
5. Re:Probably true by Anonymous Coward · 2015-05-15 00:38 · Score: 0
  
  Yeah, back in the iOS 4 days. According to the article it wasn't included in iOS5 and beyond.
6. Re:Probably true by ConfusedVorlon · 2015-05-15 01:09 · Score: 1
  
  A clarification, you can't install mspy unless you jailbreak your iPhone.
  yes you can.
  http://www.mspy.com/faq.html
  it works by accessing the iCloud backup and extracting data from that.
  
  --
  VLC Remote for iPhone and Android
7. Re:Probably true by Noah+Haders · 2015-05-15 04:50 · Score: 1
  
  first, a better link is here:
  http://www.mspy.com/compatibil...
  in order to access the icloud backup and "extract data", it needs to know the user's account password. It basically downloads the icloud backup onto another phone. L33T HAx0Rs!
  As a non-jeakbreak iphone user, I am always on the lookout for potential ways my phone can be hacked. When I find one, I'll let you know.
8. Re:Probably true by Noah+Haders · 2015-05-15 06:01 · Score: 1
  
  The most recent jailbreak for 8.2 wasn't released by the old jail dal teams like redsnow or whoever. It was released by a new Chinese group nobody has heard of. Hmm, I wonder who they work for? Still FUD?
9. Re: Probably true by Fnord666 · 2015-05-16 07:04 · Score: 1
  
  A clarification, you can't install mspy unless you jailbreak your iPhone. I wouldn't be surprised if the Chinese jail breaking packages come with mspy pre-configured... Also, no jailbreak exists for iOS 8.3, the current version.
  Incorrect
  
  --
  'The tyrant will always find pretext for his tyranny.' - Aesop's Fables
It's a real shame... by jenningsthecat · 2015-05-14 15:07 · Score: 5, Insightful

...that the data stolen belonged to people whose privacy was already being grossly invaded, rather than to the fuckwits who thought it was a good idea to spy on their family members.

--
'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
1. Re:It's a real shame... by rtb61 · 2015-05-14 15:50 · Score: 1
  
  I am sure 'MSpy' wrote in all sorts of stuff in the EULA to ensure that all your data belong to them. Perhaps they felt there was more money in selling the data than in looking after it. Unencrypted means only one thing, they did not care about keeping it secure internally ie they were already trawling through it all for the juicy bits. They do have a Seychelles office http://www.taxjustice.net/2014... which puts them immediately under extreme suspicion.
  
  --
  Chaos - everything, everywhere, everywhen
2. Re:It's a real shame... by mwvdlee · 2015-05-14 18:19 · Score: 5, Insightful
  
  The people who's data was spied upon, never agreed to any EULA.
  
  --
  Slashdot social media options: AIM, ICQ, Yahoo, Jabber and Mobile Text. Why no MySpace?
3. Re:It's a real shame... by AmiMoJo · 2015-05-14 19:09 · Score: 1
  
  I wouldn't be so sure about that. Chances are that their Apple IDs and email addresses are exposed, as well as maybe some embarrassing photos if they are the partner of their victim. An Apple ID is all it took to crack all those celebrity iCloud accounts because their passwords and recovery info were usually easy to guess. In this case the names and probably birthdays of their families are known, their anniversary date etc.
  Any CEOs or politicians involved should be worried.
  
  --
  const int one = 65536; (Silvermoon, Texture.cs)
  SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
4. Re:It's a real shame... by Anonymous Coward · 2015-05-15 00:46 · Score: 0
  
  ...that the data stolen belonged to people whose privacy was already being grossly invaded, rather than to the fuckwits who thought it was a good idea to spy on their family members.
  Don't assume those morons know mobile security any better than those they are spying on.
  Remember they had to go pay someone to install spyware on a smartphone. I'm still laughing over that concept.
5. Re:It's a real shame... by Anonymous Coward · 2015-05-15 03:47 · Score: 0
  
  I know this is a crazy thought, but not all of the kids were uninformed. Some were informed that it was a condition of getting a phone. They agreed and knew about it the entire time they were using said phone.
6. Re:It's a real shame... by Anonymous Coward · 2015-05-15 04:06 · Score: 0
  
  That's like a cop holding a gun to your head and saying "don't move". Sure- you have a choice technically, but in reality that's no choice at all.
7. Re:It's a real shame... by MooseTick · 2015-05-15 05:55 · Score: 1
  
  You eventually have to move. You don't HAVE to have an iPhone. Many of us survived decades without one.
  
  --
  Ninjas don't carry tic tacs
This is actually great by DoofusOfDeath · 2015-05-14 15:08 · Score: 2

Can you imagine the number of lawsuits this is going to bring against the people who installed it?
How does iPhone spyware even work? by Just+Some+Guy · 2015-05-14 16:24 · Score: 1

Say I want to spy on my kid. (I don't, but work with me here.) How would that software work? Short of jailbreaking the phone, I can't imagine what iPhone spyware would look like. Would said kid have a Spy On Me app that she'd need to run from time to time? Even keyboard replacement apps are somewhat vetted in what information they send to their vendors, and I don't think they have access to photos, email, or anything else but the keyboard.

--
Dewey, what part of this looks like authorities should be involved?
1. Re:How does iPhone spyware even work? by Just+Some+Guy · 2015-05-14 16:26 · Score: 4, Informative
  
  Never mind - I found it myself. Short answer: either jailbreak the phone or give them your victim's iCloud credentials so they can trawl the backup files.
  
  --
  Dewey, what part of this looks like authorities should be involved?
2. Re:How does iPhone spyware even work? by Anonymous Coward · 2015-05-14 19:06 · Score: 0
  
  found the onion address?
MSpy Tor Onion Address? by Anonymous Coward · 2015-05-14 16:38 · Score: 2, Insightful

Well, ok, so what is the onion address?
We can't really evaluate this stuff without the source.
1. Re:MSpy Tor Onion Address? by Anonymous Coward · 2015-05-14 19:04 · Score: 0
  
  I want to know if my info is on this also. Anyone have the link?
2. Re:MSpy Tor Onion Address? by Anonymous Coward · 2015-05-15 01:17 · Score: 3, Informative
  
  Not that it helps because the hoster has said they have disabled the downloads for 1-2 days but its
  http://mspycomkftki3h54.onion/
3. Re: MSpy Tor Onion Address? by Anonymous Coward · 2015-05-17 04:23 · Score: 0
  
  I blame Canada
O-la la Paris is burning by Anonymous Coward · 2015-05-14 16:43 · Score: 0

And the Germans are not involved!
Journalism fail by Anonymous Coward · 2015-05-14 16:52 · Score: 0

I'm very sceptical of this claim, as the actual .onion address is blurred out in the original article, so there is no way to independently verify any aspect of this story.
Journalism/Krebs fail.
Like drug dealers! by Anonymous Coward · 2015-05-14 18:01 · Score: 0

You get involved in the game, and nobody cares if you're a victim of it.
it wus dem haxx0rz, rilly! by Anonymous Coward · 2015-05-14 19:29 · Score: 0

cuz only haxx0rz can do teh haxx, c?
Cerberus for Android also hacked by Anonymous Coward · 2015-05-14 19:32 · Score: 0

Cerberus which is a spy/find my phone app for Android was also hacked a while back. A real treasure trove of data!
Re:Choose iKeyMonitor spy app. by l0n3s0m3phr34k · 2015-05-14 20:20 · Score: 1

"Can't believe that it has been hacked" Really? I'm honestly surprised it took this long, and these types of apps are very high-value targets for scammers and their hacker helpers.
If you don't by Anonymous Coward · 2015-05-14 20:34 · Score: 0

... information gleaned is stored on mSpy's servers ...

A company which invades the privacy of strangers, got its privacy invaded. If you don't want to be mugged, don't tell criminals how much cash you're carrying. If you don't want a privacy breach, don't leave strangers' files sitting on internet servers. This should surprise no-one, in particular, the people who were spying (and helping mSpy spy) on iPhones in the first place.
The horror is the strangers in question have no idea their documents have been copied; two times. Where's the copyright police when it's the little guy?

... records a video or takes a photo with their camera phone, it will be immediately uploaded to your mSpy account.

The mSpy service is targeted towards business phones and teenager's phones: Now a business phone shouldn't have a lot of private information on it anyway. A teenager though, will use the phone as the communication and storage device it is; putting her whole life into its memory. Copying personal information to stop pedophiles is the dumbest idea anyone has monetized: This is more than criminal negligence, it is child abuse.
1. Re: If you don't by Anonymous Coward · 2015-05-14 23:20 · Score: 0
  
  I perfectly agree, especially on the child abuse these parents are perpetrating with quite laughable excuses.
  Not only they are invading the privacy of their own children, they are also teaching them that it is perfectly OK to be spied on (which makes me wonder what kind of adults they will become) and, as this episode shows, they are also exposing their children to greater dangers.
  Unfortunately, pretty much everywhere in the world, children are thought as less that persons, when not private property of their parents. This has to change. Even if young and in need of guidance they are still persons and the rights that everyone has applies to them too. Including the right of privacy and to have a life that they don't want to share with their parents.
  My children need to grow up knowing that I respect them as persons, they need to know that I trust them and that I give them the chance to build their self confidence and responsibility and also the chance to make mistakes and pay for them. It is impossible to achieved this without trust and respect.
  These parents not only are a failure as parents, but they are actually abusing their children. There is no excuse for this.
BS? by Anonymous Coward · 2015-05-14 22:57 · Score: 0

Talked to them via chat on their web, they deny all the claims and say the software and customer data is safe.
Mobile Spy Software Maker MSpy Hacked by nickweller · 2015-05-15 00:02 · Score: 1

What was the nature of the hack? What Operating System and platform does MSpy keep its customer database on?
Not much data by Anonymous Coward · 2015-05-15 00:32 · Score: 1

"Several hundred GB" divided by "~2m people" equals "a couple hundred KB per person."
These days, that's a tiny amount of data to be "complete contents"
1. Re:Not much data by Anonymous Coward · 2015-05-15 03:53 · Score: 0
  
  An Apple ID and password are only a few tens of bytes; but are enough to get at a much larger amount of personal data if the user doesn't know their password's been compromised.
  Also, how many people would use the same password on their bank accounts? A lot more than should.
Install spyware? My data is lost why? by Anonymous Coward · 2015-05-15 02:43 · Score: 0

Why would these idiots be surprised given that they are knowingly installing an application we would consider malicious under "normal" circumstances. Security or knowledge through spyware/malware/viruses/(insert the ones I have forgotten here) isn't security in my opinion.
"So much for keeping your children safe." by Anonymous Coward · 2015-05-15 04:18 · Score: 0

Fucking LMAO. Putting spyware on their phones is not how you keep children safe. The rest of the potential use cases are for stalkers. Nice job, guys.